1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * Copyright (C) 2016 Mellanox Technologies 21 * 22 * This program is free software; you can redistribute it and/or modify 23 * it under the terms of the GNU General Public License version 2, 24 * as published by the Free Software Foundation. 25 */ 26 27 #include <linux/init.h> 28 #include <linux/kd.h> 29 #include <linux/kernel.h> 30 #include <linux/tracehook.h> 31 #include <linux/errno.h> 32 #include <linux/sched/signal.h> 33 #include <linux/sched/task.h> 34 #include <linux/lsm_hooks.h> 35 #include <linux/xattr.h> 36 #include <linux/capability.h> 37 #include <linux/unistd.h> 38 #include <linux/mm.h> 39 #include <linux/mman.h> 40 #include <linux/slab.h> 41 #include <linux/pagemap.h> 42 #include <linux/proc_fs.h> 43 #include <linux/swap.h> 44 #include <linux/spinlock.h> 45 #include <linux/syscalls.h> 46 #include <linux/dcache.h> 47 #include <linux/file.h> 48 #include <linux/fdtable.h> 49 #include <linux/namei.h> 50 #include <linux/mount.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/mutex.h> 83 #include <linux/posix-timers.h> 84 #include <linux/syslog.h> 85 #include <linux/user_namespace.h> 86 #include <linux/export.h> 87 #include <linux/msg.h> 88 #include <linux/shm.h> 89 #include <linux/bpf.h> 90 #include <uapi/linux/mount.h> 91 92 #include "avc.h" 93 #include "objsec.h" 94 #include "netif.h" 95 #include "netnode.h" 96 #include "netport.h" 97 #include "ibpkey.h" 98 #include "xfrm.h" 99 #include "netlabel.h" 100 #include "audit.h" 101 #include "avc_ss.h" 102 103 struct selinux_state selinux_state; 104 105 /* SECMARK reference count */ 106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 107 108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 109 static int selinux_enforcing_boot; 110 111 static int __init enforcing_setup(char *str) 112 { 113 unsigned long enforcing; 114 if (!kstrtoul(str, 0, &enforcing)) 115 selinux_enforcing_boot = enforcing ? 1 : 0; 116 return 1; 117 } 118 __setup("enforcing=", enforcing_setup); 119 #else 120 #define selinux_enforcing_boot 1 121 #endif 122 123 int selinux_enabled __lsm_ro_after_init = 1; 124 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 125 static int __init selinux_enabled_setup(char *str) 126 { 127 unsigned long enabled; 128 if (!kstrtoul(str, 0, &enabled)) 129 selinux_enabled = enabled ? 1 : 0; 130 return 1; 131 } 132 __setup("selinux=", selinux_enabled_setup); 133 #endif 134 135 static unsigned int selinux_checkreqprot_boot = 136 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 137 138 static int __init checkreqprot_setup(char *str) 139 { 140 unsigned long checkreqprot; 141 142 if (!kstrtoul(str, 0, &checkreqprot)) 143 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 144 return 1; 145 } 146 __setup("checkreqprot=", checkreqprot_setup); 147 148 /** 149 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 150 * 151 * Description: 152 * This function checks the SECMARK reference counter to see if any SECMARK 153 * targets are currently configured, if the reference counter is greater than 154 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 155 * enabled, false (0) if SECMARK is disabled. If the always_check_network 156 * policy capability is enabled, SECMARK is always considered enabled. 157 * 158 */ 159 static int selinux_secmark_enabled(void) 160 { 161 return (selinux_policycap_alwaysnetwork() || 162 atomic_read(&selinux_secmark_refcount)); 163 } 164 165 /** 166 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 167 * 168 * Description: 169 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 170 * (1) if any are enabled or false (0) if neither are enabled. If the 171 * always_check_network policy capability is enabled, peer labeling 172 * is always considered enabled. 173 * 174 */ 175 static int selinux_peerlbl_enabled(void) 176 { 177 return (selinux_policycap_alwaysnetwork() || 178 netlbl_enabled() || selinux_xfrm_enabled()); 179 } 180 181 static int selinux_netcache_avc_callback(u32 event) 182 { 183 if (event == AVC_CALLBACK_RESET) { 184 sel_netif_flush(); 185 sel_netnode_flush(); 186 sel_netport_flush(); 187 synchronize_net(); 188 } 189 return 0; 190 } 191 192 static int selinux_lsm_notifier_avc_callback(u32 event) 193 { 194 if (event == AVC_CALLBACK_RESET) { 195 sel_ib_pkey_flush(); 196 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 197 } 198 199 return 0; 200 } 201 202 /* 203 * initialise the security for the init task 204 */ 205 static void cred_init_security(void) 206 { 207 struct cred *cred = (struct cred *) current->real_cred; 208 struct task_security_struct *tsec; 209 210 lsm_early_cred(cred); 211 tsec = selinux_cred(cred); 212 tsec->osid = tsec->sid = SECINITSID_KERNEL; 213 } 214 215 /* 216 * get the security ID of a set of credentials 217 */ 218 static inline u32 cred_sid(const struct cred *cred) 219 { 220 const struct task_security_struct *tsec; 221 222 tsec = selinux_cred(cred); 223 return tsec->sid; 224 } 225 226 /* 227 * get the objective security ID of a task 228 */ 229 static inline u32 task_sid(const struct task_struct *task) 230 { 231 u32 sid; 232 233 rcu_read_lock(); 234 sid = cred_sid(__task_cred(task)); 235 rcu_read_unlock(); 236 return sid; 237 } 238 239 /* Allocate and free functions for each kind of security blob. */ 240 241 static int inode_alloc_security(struct inode *inode) 242 { 243 struct inode_security_struct *isec = selinux_inode(inode); 244 u32 sid = current_sid(); 245 246 spin_lock_init(&isec->lock); 247 INIT_LIST_HEAD(&isec->list); 248 isec->inode = inode; 249 isec->sid = SECINITSID_UNLABELED; 250 isec->sclass = SECCLASS_FILE; 251 isec->task_sid = sid; 252 isec->initialized = LABEL_INVALID; 253 254 return 0; 255 } 256 257 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 258 259 /* 260 * Try reloading inode security labels that have been marked as invalid. The 261 * @may_sleep parameter indicates when sleeping and thus reloading labels is 262 * allowed; when set to false, returns -ECHILD when the label is 263 * invalid. The @dentry parameter should be set to a dentry of the inode. 264 */ 265 static int __inode_security_revalidate(struct inode *inode, 266 struct dentry *dentry, 267 bool may_sleep) 268 { 269 struct inode_security_struct *isec = selinux_inode(inode); 270 271 might_sleep_if(may_sleep); 272 273 if (selinux_state.initialized && 274 isec->initialized != LABEL_INITIALIZED) { 275 if (!may_sleep) 276 return -ECHILD; 277 278 /* 279 * Try reloading the inode security label. This will fail if 280 * @opt_dentry is NULL and no dentry for this inode can be 281 * found; in that case, continue using the old label. 282 */ 283 inode_doinit_with_dentry(inode, dentry); 284 } 285 return 0; 286 } 287 288 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 289 { 290 return selinux_inode(inode); 291 } 292 293 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 294 { 295 int error; 296 297 error = __inode_security_revalidate(inode, NULL, !rcu); 298 if (error) 299 return ERR_PTR(error); 300 return selinux_inode(inode); 301 } 302 303 /* 304 * Get the security label of an inode. 305 */ 306 static struct inode_security_struct *inode_security(struct inode *inode) 307 { 308 __inode_security_revalidate(inode, NULL, true); 309 return selinux_inode(inode); 310 } 311 312 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 313 { 314 struct inode *inode = d_backing_inode(dentry); 315 316 return selinux_inode(inode); 317 } 318 319 /* 320 * Get the security label of a dentry's backing inode. 321 */ 322 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 323 { 324 struct inode *inode = d_backing_inode(dentry); 325 326 __inode_security_revalidate(inode, dentry, true); 327 return selinux_inode(inode); 328 } 329 330 static void inode_free_security(struct inode *inode) 331 { 332 struct inode_security_struct *isec = selinux_inode(inode); 333 struct superblock_security_struct *sbsec; 334 335 if (!isec) 336 return; 337 sbsec = inode->i_sb->s_security; 338 /* 339 * As not all inode security structures are in a list, we check for 340 * empty list outside of the lock to make sure that we won't waste 341 * time taking a lock doing nothing. 342 * 343 * The list_del_init() function can be safely called more than once. 344 * It should not be possible for this function to be called with 345 * concurrent list_add(), but for better safety against future changes 346 * in the code, we use list_empty_careful() here. 347 */ 348 if (!list_empty_careful(&isec->list)) { 349 spin_lock(&sbsec->isec_lock); 350 list_del_init(&isec->list); 351 spin_unlock(&sbsec->isec_lock); 352 } 353 } 354 355 static int file_alloc_security(struct file *file) 356 { 357 struct file_security_struct *fsec = selinux_file(file); 358 u32 sid = current_sid(); 359 360 fsec->sid = sid; 361 fsec->fown_sid = sid; 362 363 return 0; 364 } 365 366 static int superblock_alloc_security(struct super_block *sb) 367 { 368 struct superblock_security_struct *sbsec; 369 370 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 371 if (!sbsec) 372 return -ENOMEM; 373 374 mutex_init(&sbsec->lock); 375 INIT_LIST_HEAD(&sbsec->isec_head); 376 spin_lock_init(&sbsec->isec_lock); 377 sbsec->sb = sb; 378 sbsec->sid = SECINITSID_UNLABELED; 379 sbsec->def_sid = SECINITSID_FILE; 380 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 381 sb->s_security = sbsec; 382 383 return 0; 384 } 385 386 static void superblock_free_security(struct super_block *sb) 387 { 388 struct superblock_security_struct *sbsec = sb->s_security; 389 sb->s_security = NULL; 390 kfree(sbsec); 391 } 392 393 struct selinux_mnt_opts { 394 const char *fscontext, *context, *rootcontext, *defcontext; 395 }; 396 397 static void selinux_free_mnt_opts(void *mnt_opts) 398 { 399 struct selinux_mnt_opts *opts = mnt_opts; 400 kfree(opts->fscontext); 401 kfree(opts->context); 402 kfree(opts->rootcontext); 403 kfree(opts->defcontext); 404 kfree(opts); 405 } 406 407 static inline int inode_doinit(struct inode *inode) 408 { 409 return inode_doinit_with_dentry(inode, NULL); 410 } 411 412 enum { 413 Opt_error = -1, 414 Opt_context = 1, 415 Opt_fscontext = 2, 416 Opt_defcontext = 3, 417 Opt_rootcontext = 4, 418 Opt_seclabel = 5, 419 }; 420 421 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 422 static struct { 423 const char *name; 424 int len; 425 int opt; 426 bool has_arg; 427 } tokens[] = { 428 A(context, true), 429 A(fscontext, true), 430 A(defcontext, true), 431 A(rootcontext, true), 432 A(seclabel, false), 433 }; 434 #undef A 435 436 static int match_opt_prefix(char *s, int l, char **arg) 437 { 438 int i; 439 440 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 441 size_t len = tokens[i].len; 442 if (len > l || memcmp(s, tokens[i].name, len)) 443 continue; 444 if (tokens[i].has_arg) { 445 if (len == l || s[len] != '=') 446 continue; 447 *arg = s + len + 1; 448 } else if (len != l) 449 continue; 450 return tokens[i].opt; 451 } 452 return Opt_error; 453 } 454 455 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 456 457 static int may_context_mount_sb_relabel(u32 sid, 458 struct superblock_security_struct *sbsec, 459 const struct cred *cred) 460 { 461 const struct task_security_struct *tsec = selinux_cred(cred); 462 int rc; 463 464 rc = avc_has_perm(&selinux_state, 465 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 466 FILESYSTEM__RELABELFROM, NULL); 467 if (rc) 468 return rc; 469 470 rc = avc_has_perm(&selinux_state, 471 tsec->sid, sid, SECCLASS_FILESYSTEM, 472 FILESYSTEM__RELABELTO, NULL); 473 return rc; 474 } 475 476 static int may_context_mount_inode_relabel(u32 sid, 477 struct superblock_security_struct *sbsec, 478 const struct cred *cred) 479 { 480 const struct task_security_struct *tsec = selinux_cred(cred); 481 int rc; 482 rc = avc_has_perm(&selinux_state, 483 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 484 FILESYSTEM__RELABELFROM, NULL); 485 if (rc) 486 return rc; 487 488 rc = avc_has_perm(&selinux_state, 489 sid, sbsec->sid, SECCLASS_FILESYSTEM, 490 FILESYSTEM__ASSOCIATE, NULL); 491 return rc; 492 } 493 494 static int selinux_is_sblabel_mnt(struct super_block *sb) 495 { 496 struct superblock_security_struct *sbsec = sb->s_security; 497 498 return sbsec->behavior == SECURITY_FS_USE_XATTR || 499 sbsec->behavior == SECURITY_FS_USE_TRANS || 500 sbsec->behavior == SECURITY_FS_USE_TASK || 501 sbsec->behavior == SECURITY_FS_USE_NATIVE || 502 /* Special handling. Genfs but also in-core setxattr handler */ 503 !strcmp(sb->s_type->name, "sysfs") || 504 !strcmp(sb->s_type->name, "pstore") || 505 !strcmp(sb->s_type->name, "debugfs") || 506 !strcmp(sb->s_type->name, "tracefs") || 507 !strcmp(sb->s_type->name, "rootfs") || 508 (selinux_policycap_cgroupseclabel() && 509 (!strcmp(sb->s_type->name, "cgroup") || 510 !strcmp(sb->s_type->name, "cgroup2"))); 511 } 512 513 static int sb_finish_set_opts(struct super_block *sb) 514 { 515 struct superblock_security_struct *sbsec = sb->s_security; 516 struct dentry *root = sb->s_root; 517 struct inode *root_inode = d_backing_inode(root); 518 int rc = 0; 519 520 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 521 /* Make sure that the xattr handler exists and that no 522 error other than -ENODATA is returned by getxattr on 523 the root directory. -ENODATA is ok, as this may be 524 the first boot of the SELinux kernel before we have 525 assigned xattr values to the filesystem. */ 526 if (!(root_inode->i_opflags & IOP_XATTR)) { 527 pr_warn("SELinux: (dev %s, type %s) has no " 528 "xattr support\n", sb->s_id, sb->s_type->name); 529 rc = -EOPNOTSUPP; 530 goto out; 531 } 532 533 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 534 if (rc < 0 && rc != -ENODATA) { 535 if (rc == -EOPNOTSUPP) 536 pr_warn("SELinux: (dev %s, type " 537 "%s) has no security xattr handler\n", 538 sb->s_id, sb->s_type->name); 539 else 540 pr_warn("SELinux: (dev %s, type " 541 "%s) getxattr errno %d\n", sb->s_id, 542 sb->s_type->name, -rc); 543 goto out; 544 } 545 } 546 547 sbsec->flags |= SE_SBINITIALIZED; 548 549 /* 550 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 551 * leave the flag untouched because sb_clone_mnt_opts might be handing 552 * us a superblock that needs the flag to be cleared. 553 */ 554 if (selinux_is_sblabel_mnt(sb)) 555 sbsec->flags |= SBLABEL_MNT; 556 else 557 sbsec->flags &= ~SBLABEL_MNT; 558 559 /* Initialize the root inode. */ 560 rc = inode_doinit_with_dentry(root_inode, root); 561 562 /* Initialize any other inodes associated with the superblock, e.g. 563 inodes created prior to initial policy load or inodes created 564 during get_sb by a pseudo filesystem that directly 565 populates itself. */ 566 spin_lock(&sbsec->isec_lock); 567 while (!list_empty(&sbsec->isec_head)) { 568 struct inode_security_struct *isec = 569 list_first_entry(&sbsec->isec_head, 570 struct inode_security_struct, list); 571 struct inode *inode = isec->inode; 572 list_del_init(&isec->list); 573 spin_unlock(&sbsec->isec_lock); 574 inode = igrab(inode); 575 if (inode) { 576 if (!IS_PRIVATE(inode)) 577 inode_doinit(inode); 578 iput(inode); 579 } 580 spin_lock(&sbsec->isec_lock); 581 } 582 spin_unlock(&sbsec->isec_lock); 583 out: 584 return rc; 585 } 586 587 static int bad_option(struct superblock_security_struct *sbsec, char flag, 588 u32 old_sid, u32 new_sid) 589 { 590 char mnt_flags = sbsec->flags & SE_MNTMASK; 591 592 /* check if the old mount command had the same options */ 593 if (sbsec->flags & SE_SBINITIALIZED) 594 if (!(sbsec->flags & flag) || 595 (old_sid != new_sid)) 596 return 1; 597 598 /* check if we were passed the same options twice, 599 * aka someone passed context=a,context=b 600 */ 601 if (!(sbsec->flags & SE_SBINITIALIZED)) 602 if (mnt_flags & flag) 603 return 1; 604 return 0; 605 } 606 607 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 608 { 609 int rc = security_context_str_to_sid(&selinux_state, s, 610 sid, GFP_KERNEL); 611 if (rc) 612 pr_warn("SELinux: security_context_str_to_sid" 613 "(%s) failed for (dev %s, type %s) errno=%d\n", 614 s, sb->s_id, sb->s_type->name, rc); 615 return rc; 616 } 617 618 /* 619 * Allow filesystems with binary mount data to explicitly set mount point 620 * labeling information. 621 */ 622 static int selinux_set_mnt_opts(struct super_block *sb, 623 void *mnt_opts, 624 unsigned long kern_flags, 625 unsigned long *set_kern_flags) 626 { 627 const struct cred *cred = current_cred(); 628 struct superblock_security_struct *sbsec = sb->s_security; 629 struct dentry *root = sbsec->sb->s_root; 630 struct selinux_mnt_opts *opts = mnt_opts; 631 struct inode_security_struct *root_isec; 632 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 633 u32 defcontext_sid = 0; 634 int rc = 0; 635 636 mutex_lock(&sbsec->lock); 637 638 if (!selinux_state.initialized) { 639 if (!opts) { 640 /* Defer initialization until selinux_complete_init, 641 after the initial policy is loaded and the security 642 server is ready to handle calls. */ 643 goto out; 644 } 645 rc = -EINVAL; 646 pr_warn("SELinux: Unable to set superblock options " 647 "before the security server is initialized\n"); 648 goto out; 649 } 650 if (kern_flags && !set_kern_flags) { 651 /* Specifying internal flags without providing a place to 652 * place the results is not allowed */ 653 rc = -EINVAL; 654 goto out; 655 } 656 657 /* 658 * Binary mount data FS will come through this function twice. Once 659 * from an explicit call and once from the generic calls from the vfs. 660 * Since the generic VFS calls will not contain any security mount data 661 * we need to skip the double mount verification. 662 * 663 * This does open a hole in which we will not notice if the first 664 * mount using this sb set explict options and a second mount using 665 * this sb does not set any security options. (The first options 666 * will be used for both mounts) 667 */ 668 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 669 && !opts) 670 goto out; 671 672 root_isec = backing_inode_security_novalidate(root); 673 674 /* 675 * parse the mount options, check if they are valid sids. 676 * also check if someone is trying to mount the same sb more 677 * than once with different security options. 678 */ 679 if (opts) { 680 if (opts->fscontext) { 681 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 682 if (rc) 683 goto out; 684 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 685 fscontext_sid)) 686 goto out_double_mount; 687 sbsec->flags |= FSCONTEXT_MNT; 688 } 689 if (opts->context) { 690 rc = parse_sid(sb, opts->context, &context_sid); 691 if (rc) 692 goto out; 693 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 694 context_sid)) 695 goto out_double_mount; 696 sbsec->flags |= CONTEXT_MNT; 697 } 698 if (opts->rootcontext) { 699 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 700 if (rc) 701 goto out; 702 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 703 rootcontext_sid)) 704 goto out_double_mount; 705 sbsec->flags |= ROOTCONTEXT_MNT; 706 } 707 if (opts->defcontext) { 708 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 709 if (rc) 710 goto out; 711 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 712 defcontext_sid)) 713 goto out_double_mount; 714 sbsec->flags |= DEFCONTEXT_MNT; 715 } 716 } 717 718 if (sbsec->flags & SE_SBINITIALIZED) { 719 /* previously mounted with options, but not on this attempt? */ 720 if ((sbsec->flags & SE_MNTMASK) && !opts) 721 goto out_double_mount; 722 rc = 0; 723 goto out; 724 } 725 726 if (strcmp(sb->s_type->name, "proc") == 0) 727 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 728 729 if (!strcmp(sb->s_type->name, "debugfs") || 730 !strcmp(sb->s_type->name, "tracefs") || 731 !strcmp(sb->s_type->name, "sysfs") || 732 !strcmp(sb->s_type->name, "pstore") || 733 !strcmp(sb->s_type->name, "cgroup") || 734 !strcmp(sb->s_type->name, "cgroup2")) 735 sbsec->flags |= SE_SBGENFS; 736 737 if (!sbsec->behavior) { 738 /* 739 * Determine the labeling behavior to use for this 740 * filesystem type. 741 */ 742 rc = security_fs_use(&selinux_state, sb); 743 if (rc) { 744 pr_warn("%s: security_fs_use(%s) returned %d\n", 745 __func__, sb->s_type->name, rc); 746 goto out; 747 } 748 } 749 750 /* 751 * If this is a user namespace mount and the filesystem type is not 752 * explicitly whitelisted, then no contexts are allowed on the command 753 * line and security labels must be ignored. 754 */ 755 if (sb->s_user_ns != &init_user_ns && 756 strcmp(sb->s_type->name, "tmpfs") && 757 strcmp(sb->s_type->name, "ramfs") && 758 strcmp(sb->s_type->name, "devpts")) { 759 if (context_sid || fscontext_sid || rootcontext_sid || 760 defcontext_sid) { 761 rc = -EACCES; 762 goto out; 763 } 764 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 765 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 766 rc = security_transition_sid(&selinux_state, 767 current_sid(), 768 current_sid(), 769 SECCLASS_FILE, NULL, 770 &sbsec->mntpoint_sid); 771 if (rc) 772 goto out; 773 } 774 goto out_set_opts; 775 } 776 777 /* sets the context of the superblock for the fs being mounted. */ 778 if (fscontext_sid) { 779 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 780 if (rc) 781 goto out; 782 783 sbsec->sid = fscontext_sid; 784 } 785 786 /* 787 * Switch to using mount point labeling behavior. 788 * sets the label used on all file below the mountpoint, and will set 789 * the superblock context if not already set. 790 */ 791 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 792 sbsec->behavior = SECURITY_FS_USE_NATIVE; 793 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 794 } 795 796 if (context_sid) { 797 if (!fscontext_sid) { 798 rc = may_context_mount_sb_relabel(context_sid, sbsec, 799 cred); 800 if (rc) 801 goto out; 802 sbsec->sid = context_sid; 803 } else { 804 rc = may_context_mount_inode_relabel(context_sid, sbsec, 805 cred); 806 if (rc) 807 goto out; 808 } 809 if (!rootcontext_sid) 810 rootcontext_sid = context_sid; 811 812 sbsec->mntpoint_sid = context_sid; 813 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 814 } 815 816 if (rootcontext_sid) { 817 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 818 cred); 819 if (rc) 820 goto out; 821 822 root_isec->sid = rootcontext_sid; 823 root_isec->initialized = LABEL_INITIALIZED; 824 } 825 826 if (defcontext_sid) { 827 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 828 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 829 rc = -EINVAL; 830 pr_warn("SELinux: defcontext option is " 831 "invalid for this filesystem type\n"); 832 goto out; 833 } 834 835 if (defcontext_sid != sbsec->def_sid) { 836 rc = may_context_mount_inode_relabel(defcontext_sid, 837 sbsec, cred); 838 if (rc) 839 goto out; 840 } 841 842 sbsec->def_sid = defcontext_sid; 843 } 844 845 out_set_opts: 846 rc = sb_finish_set_opts(sb); 847 out: 848 mutex_unlock(&sbsec->lock); 849 return rc; 850 out_double_mount: 851 rc = -EINVAL; 852 pr_warn("SELinux: mount invalid. Same superblock, different " 853 "security settings for (dev %s, type %s)\n", sb->s_id, 854 sb->s_type->name); 855 goto out; 856 } 857 858 static int selinux_cmp_sb_context(const struct super_block *oldsb, 859 const struct super_block *newsb) 860 { 861 struct superblock_security_struct *old = oldsb->s_security; 862 struct superblock_security_struct *new = newsb->s_security; 863 char oldflags = old->flags & SE_MNTMASK; 864 char newflags = new->flags & SE_MNTMASK; 865 866 if (oldflags != newflags) 867 goto mismatch; 868 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 869 goto mismatch; 870 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 871 goto mismatch; 872 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 873 goto mismatch; 874 if (oldflags & ROOTCONTEXT_MNT) { 875 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 876 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 877 if (oldroot->sid != newroot->sid) 878 goto mismatch; 879 } 880 return 0; 881 mismatch: 882 pr_warn("SELinux: mount invalid. Same superblock, " 883 "different security settings for (dev %s, " 884 "type %s)\n", newsb->s_id, newsb->s_type->name); 885 return -EBUSY; 886 } 887 888 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 889 struct super_block *newsb, 890 unsigned long kern_flags, 891 unsigned long *set_kern_flags) 892 { 893 int rc = 0; 894 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 895 struct superblock_security_struct *newsbsec = newsb->s_security; 896 897 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 898 int set_context = (oldsbsec->flags & CONTEXT_MNT); 899 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 900 901 /* 902 * if the parent was able to be mounted it clearly had no special lsm 903 * mount options. thus we can safely deal with this superblock later 904 */ 905 if (!selinux_state.initialized) 906 return 0; 907 908 /* 909 * Specifying internal flags without providing a place to 910 * place the results is not allowed. 911 */ 912 if (kern_flags && !set_kern_flags) 913 return -EINVAL; 914 915 /* how can we clone if the old one wasn't set up?? */ 916 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 917 918 /* if fs is reusing a sb, make sure that the contexts match */ 919 if (newsbsec->flags & SE_SBINITIALIZED) 920 return selinux_cmp_sb_context(oldsb, newsb); 921 922 mutex_lock(&newsbsec->lock); 923 924 newsbsec->flags = oldsbsec->flags; 925 926 newsbsec->sid = oldsbsec->sid; 927 newsbsec->def_sid = oldsbsec->def_sid; 928 newsbsec->behavior = oldsbsec->behavior; 929 930 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 931 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 932 rc = security_fs_use(&selinux_state, newsb); 933 if (rc) 934 goto out; 935 } 936 937 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 938 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 939 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 940 } 941 942 if (set_context) { 943 u32 sid = oldsbsec->mntpoint_sid; 944 945 if (!set_fscontext) 946 newsbsec->sid = sid; 947 if (!set_rootcontext) { 948 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 949 newisec->sid = sid; 950 } 951 newsbsec->mntpoint_sid = sid; 952 } 953 if (set_rootcontext) { 954 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 955 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 956 957 newisec->sid = oldisec->sid; 958 } 959 960 sb_finish_set_opts(newsb); 961 out: 962 mutex_unlock(&newsbsec->lock); 963 return rc; 964 } 965 966 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 967 { 968 struct selinux_mnt_opts *opts = *mnt_opts; 969 970 if (token == Opt_seclabel) /* eaten and completely ignored */ 971 return 0; 972 973 if (!opts) { 974 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 975 if (!opts) 976 return -ENOMEM; 977 *mnt_opts = opts; 978 } 979 if (!s) 980 return -ENOMEM; 981 switch (token) { 982 case Opt_context: 983 if (opts->context || opts->defcontext) 984 goto Einval; 985 opts->context = s; 986 break; 987 case Opt_fscontext: 988 if (opts->fscontext) 989 goto Einval; 990 opts->fscontext = s; 991 break; 992 case Opt_rootcontext: 993 if (opts->rootcontext) 994 goto Einval; 995 opts->rootcontext = s; 996 break; 997 case Opt_defcontext: 998 if (opts->context || opts->defcontext) 999 goto Einval; 1000 opts->defcontext = s; 1001 break; 1002 } 1003 return 0; 1004 Einval: 1005 pr_warn(SEL_MOUNT_FAIL_MSG); 1006 return -EINVAL; 1007 } 1008 1009 static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1010 void **mnt_opts) 1011 { 1012 int token = Opt_error; 1013 int rc, i; 1014 1015 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1016 if (strcmp(option, tokens[i].name) == 0) { 1017 token = tokens[i].opt; 1018 break; 1019 } 1020 } 1021 1022 if (token == Opt_error) 1023 return -EINVAL; 1024 1025 if (token != Opt_seclabel) 1026 val = kmemdup_nul(val, len, GFP_KERNEL); 1027 rc = selinux_add_opt(token, val, mnt_opts); 1028 if (unlikely(rc)) { 1029 kfree(val); 1030 if (*mnt_opts) { 1031 selinux_free_mnt_opts(*mnt_opts); 1032 *mnt_opts = NULL; 1033 } 1034 } 1035 return rc; 1036 } 1037 1038 static int show_sid(struct seq_file *m, u32 sid) 1039 { 1040 char *context = NULL; 1041 u32 len; 1042 int rc; 1043 1044 rc = security_sid_to_context(&selinux_state, sid, 1045 &context, &len); 1046 if (!rc) { 1047 bool has_comma = context && strchr(context, ','); 1048 1049 if (has_comma) 1050 seq_putc(m, '\"'); 1051 seq_escape(m, context, "\"\n\\"); 1052 if (has_comma) 1053 seq_putc(m, '\"'); 1054 } 1055 kfree(context); 1056 return rc; 1057 } 1058 1059 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1060 { 1061 struct superblock_security_struct *sbsec = sb->s_security; 1062 int rc; 1063 1064 if (!(sbsec->flags & SE_SBINITIALIZED)) 1065 return 0; 1066 1067 if (!selinux_state.initialized) 1068 return 0; 1069 1070 if (sbsec->flags & FSCONTEXT_MNT) { 1071 seq_putc(m, ','); 1072 seq_puts(m, FSCONTEXT_STR); 1073 rc = show_sid(m, sbsec->sid); 1074 if (rc) 1075 return rc; 1076 } 1077 if (sbsec->flags & CONTEXT_MNT) { 1078 seq_putc(m, ','); 1079 seq_puts(m, CONTEXT_STR); 1080 rc = show_sid(m, sbsec->mntpoint_sid); 1081 if (rc) 1082 return rc; 1083 } 1084 if (sbsec->flags & DEFCONTEXT_MNT) { 1085 seq_putc(m, ','); 1086 seq_puts(m, DEFCONTEXT_STR); 1087 rc = show_sid(m, sbsec->def_sid); 1088 if (rc) 1089 return rc; 1090 } 1091 if (sbsec->flags & ROOTCONTEXT_MNT) { 1092 struct dentry *root = sbsec->sb->s_root; 1093 struct inode_security_struct *isec = backing_inode_security(root); 1094 seq_putc(m, ','); 1095 seq_puts(m, ROOTCONTEXT_STR); 1096 rc = show_sid(m, isec->sid); 1097 if (rc) 1098 return rc; 1099 } 1100 if (sbsec->flags & SBLABEL_MNT) { 1101 seq_putc(m, ','); 1102 seq_puts(m, LABELSUPP_STR); 1103 } 1104 return 0; 1105 } 1106 1107 static inline u16 inode_mode_to_security_class(umode_t mode) 1108 { 1109 switch (mode & S_IFMT) { 1110 case S_IFSOCK: 1111 return SECCLASS_SOCK_FILE; 1112 case S_IFLNK: 1113 return SECCLASS_LNK_FILE; 1114 case S_IFREG: 1115 return SECCLASS_FILE; 1116 case S_IFBLK: 1117 return SECCLASS_BLK_FILE; 1118 case S_IFDIR: 1119 return SECCLASS_DIR; 1120 case S_IFCHR: 1121 return SECCLASS_CHR_FILE; 1122 case S_IFIFO: 1123 return SECCLASS_FIFO_FILE; 1124 1125 } 1126 1127 return SECCLASS_FILE; 1128 } 1129 1130 static inline int default_protocol_stream(int protocol) 1131 { 1132 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1133 } 1134 1135 static inline int default_protocol_dgram(int protocol) 1136 { 1137 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1138 } 1139 1140 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1141 { 1142 int extsockclass = selinux_policycap_extsockclass(); 1143 1144 switch (family) { 1145 case PF_UNIX: 1146 switch (type) { 1147 case SOCK_STREAM: 1148 case SOCK_SEQPACKET: 1149 return SECCLASS_UNIX_STREAM_SOCKET; 1150 case SOCK_DGRAM: 1151 case SOCK_RAW: 1152 return SECCLASS_UNIX_DGRAM_SOCKET; 1153 } 1154 break; 1155 case PF_INET: 1156 case PF_INET6: 1157 switch (type) { 1158 case SOCK_STREAM: 1159 case SOCK_SEQPACKET: 1160 if (default_protocol_stream(protocol)) 1161 return SECCLASS_TCP_SOCKET; 1162 else if (extsockclass && protocol == IPPROTO_SCTP) 1163 return SECCLASS_SCTP_SOCKET; 1164 else 1165 return SECCLASS_RAWIP_SOCKET; 1166 case SOCK_DGRAM: 1167 if (default_protocol_dgram(protocol)) 1168 return SECCLASS_UDP_SOCKET; 1169 else if (extsockclass && (protocol == IPPROTO_ICMP || 1170 protocol == IPPROTO_ICMPV6)) 1171 return SECCLASS_ICMP_SOCKET; 1172 else 1173 return SECCLASS_RAWIP_SOCKET; 1174 case SOCK_DCCP: 1175 return SECCLASS_DCCP_SOCKET; 1176 default: 1177 return SECCLASS_RAWIP_SOCKET; 1178 } 1179 break; 1180 case PF_NETLINK: 1181 switch (protocol) { 1182 case NETLINK_ROUTE: 1183 return SECCLASS_NETLINK_ROUTE_SOCKET; 1184 case NETLINK_SOCK_DIAG: 1185 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1186 case NETLINK_NFLOG: 1187 return SECCLASS_NETLINK_NFLOG_SOCKET; 1188 case NETLINK_XFRM: 1189 return SECCLASS_NETLINK_XFRM_SOCKET; 1190 case NETLINK_SELINUX: 1191 return SECCLASS_NETLINK_SELINUX_SOCKET; 1192 case NETLINK_ISCSI: 1193 return SECCLASS_NETLINK_ISCSI_SOCKET; 1194 case NETLINK_AUDIT: 1195 return SECCLASS_NETLINK_AUDIT_SOCKET; 1196 case NETLINK_FIB_LOOKUP: 1197 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1198 case NETLINK_CONNECTOR: 1199 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1200 case NETLINK_NETFILTER: 1201 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1202 case NETLINK_DNRTMSG: 1203 return SECCLASS_NETLINK_DNRT_SOCKET; 1204 case NETLINK_KOBJECT_UEVENT: 1205 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1206 case NETLINK_GENERIC: 1207 return SECCLASS_NETLINK_GENERIC_SOCKET; 1208 case NETLINK_SCSITRANSPORT: 1209 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1210 case NETLINK_RDMA: 1211 return SECCLASS_NETLINK_RDMA_SOCKET; 1212 case NETLINK_CRYPTO: 1213 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1214 default: 1215 return SECCLASS_NETLINK_SOCKET; 1216 } 1217 case PF_PACKET: 1218 return SECCLASS_PACKET_SOCKET; 1219 case PF_KEY: 1220 return SECCLASS_KEY_SOCKET; 1221 case PF_APPLETALK: 1222 return SECCLASS_APPLETALK_SOCKET; 1223 } 1224 1225 if (extsockclass) { 1226 switch (family) { 1227 case PF_AX25: 1228 return SECCLASS_AX25_SOCKET; 1229 case PF_IPX: 1230 return SECCLASS_IPX_SOCKET; 1231 case PF_NETROM: 1232 return SECCLASS_NETROM_SOCKET; 1233 case PF_ATMPVC: 1234 return SECCLASS_ATMPVC_SOCKET; 1235 case PF_X25: 1236 return SECCLASS_X25_SOCKET; 1237 case PF_ROSE: 1238 return SECCLASS_ROSE_SOCKET; 1239 case PF_DECnet: 1240 return SECCLASS_DECNET_SOCKET; 1241 case PF_ATMSVC: 1242 return SECCLASS_ATMSVC_SOCKET; 1243 case PF_RDS: 1244 return SECCLASS_RDS_SOCKET; 1245 case PF_IRDA: 1246 return SECCLASS_IRDA_SOCKET; 1247 case PF_PPPOX: 1248 return SECCLASS_PPPOX_SOCKET; 1249 case PF_LLC: 1250 return SECCLASS_LLC_SOCKET; 1251 case PF_CAN: 1252 return SECCLASS_CAN_SOCKET; 1253 case PF_TIPC: 1254 return SECCLASS_TIPC_SOCKET; 1255 case PF_BLUETOOTH: 1256 return SECCLASS_BLUETOOTH_SOCKET; 1257 case PF_IUCV: 1258 return SECCLASS_IUCV_SOCKET; 1259 case PF_RXRPC: 1260 return SECCLASS_RXRPC_SOCKET; 1261 case PF_ISDN: 1262 return SECCLASS_ISDN_SOCKET; 1263 case PF_PHONET: 1264 return SECCLASS_PHONET_SOCKET; 1265 case PF_IEEE802154: 1266 return SECCLASS_IEEE802154_SOCKET; 1267 case PF_CAIF: 1268 return SECCLASS_CAIF_SOCKET; 1269 case PF_ALG: 1270 return SECCLASS_ALG_SOCKET; 1271 case PF_NFC: 1272 return SECCLASS_NFC_SOCKET; 1273 case PF_VSOCK: 1274 return SECCLASS_VSOCK_SOCKET; 1275 case PF_KCM: 1276 return SECCLASS_KCM_SOCKET; 1277 case PF_QIPCRTR: 1278 return SECCLASS_QIPCRTR_SOCKET; 1279 case PF_SMC: 1280 return SECCLASS_SMC_SOCKET; 1281 case PF_XDP: 1282 return SECCLASS_XDP_SOCKET; 1283 #if PF_MAX > 45 1284 #error New address family defined, please update this function. 1285 #endif 1286 } 1287 } 1288 1289 return SECCLASS_SOCKET; 1290 } 1291 1292 static int selinux_genfs_get_sid(struct dentry *dentry, 1293 u16 tclass, 1294 u16 flags, 1295 u32 *sid) 1296 { 1297 int rc; 1298 struct super_block *sb = dentry->d_sb; 1299 char *buffer, *path; 1300 1301 buffer = (char *)__get_free_page(GFP_KERNEL); 1302 if (!buffer) 1303 return -ENOMEM; 1304 1305 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1306 if (IS_ERR(path)) 1307 rc = PTR_ERR(path); 1308 else { 1309 if (flags & SE_SBPROC) { 1310 /* each process gets a /proc/PID/ entry. Strip off the 1311 * PID part to get a valid selinux labeling. 1312 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1313 while (path[1] >= '0' && path[1] <= '9') { 1314 path[1] = '/'; 1315 path++; 1316 } 1317 } 1318 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1319 path, tclass, sid); 1320 if (rc == -ENOENT) { 1321 /* No match in policy, mark as unlabeled. */ 1322 *sid = SECINITSID_UNLABELED; 1323 rc = 0; 1324 } 1325 } 1326 free_page((unsigned long)buffer); 1327 return rc; 1328 } 1329 1330 /* The inode's security attributes must be initialized before first use. */ 1331 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1332 { 1333 struct superblock_security_struct *sbsec = NULL; 1334 struct inode_security_struct *isec = selinux_inode(inode); 1335 u32 task_sid, sid = 0; 1336 u16 sclass; 1337 struct dentry *dentry; 1338 #define INITCONTEXTLEN 255 1339 char *context = NULL; 1340 unsigned len = 0; 1341 int rc = 0; 1342 1343 if (isec->initialized == LABEL_INITIALIZED) 1344 return 0; 1345 1346 spin_lock(&isec->lock); 1347 if (isec->initialized == LABEL_INITIALIZED) 1348 goto out_unlock; 1349 1350 if (isec->sclass == SECCLASS_FILE) 1351 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1352 1353 sbsec = inode->i_sb->s_security; 1354 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1355 /* Defer initialization until selinux_complete_init, 1356 after the initial policy is loaded and the security 1357 server is ready to handle calls. */ 1358 spin_lock(&sbsec->isec_lock); 1359 if (list_empty(&isec->list)) 1360 list_add(&isec->list, &sbsec->isec_head); 1361 spin_unlock(&sbsec->isec_lock); 1362 goto out_unlock; 1363 } 1364 1365 sclass = isec->sclass; 1366 task_sid = isec->task_sid; 1367 sid = isec->sid; 1368 isec->initialized = LABEL_PENDING; 1369 spin_unlock(&isec->lock); 1370 1371 switch (sbsec->behavior) { 1372 case SECURITY_FS_USE_NATIVE: 1373 break; 1374 case SECURITY_FS_USE_XATTR: 1375 if (!(inode->i_opflags & IOP_XATTR)) { 1376 sid = sbsec->def_sid; 1377 break; 1378 } 1379 /* Need a dentry, since the xattr API requires one. 1380 Life would be simpler if we could just pass the inode. */ 1381 if (opt_dentry) { 1382 /* Called from d_instantiate or d_splice_alias. */ 1383 dentry = dget(opt_dentry); 1384 } else { 1385 /* 1386 * Called from selinux_complete_init, try to find a dentry. 1387 * Some filesystems really want a connected one, so try 1388 * that first. We could split SECURITY_FS_USE_XATTR in 1389 * two, depending upon that... 1390 */ 1391 dentry = d_find_alias(inode); 1392 if (!dentry) 1393 dentry = d_find_any_alias(inode); 1394 } 1395 if (!dentry) { 1396 /* 1397 * this is can be hit on boot when a file is accessed 1398 * before the policy is loaded. When we load policy we 1399 * may find inodes that have no dentry on the 1400 * sbsec->isec_head list. No reason to complain as these 1401 * will get fixed up the next time we go through 1402 * inode_doinit with a dentry, before these inodes could 1403 * be used again by userspace. 1404 */ 1405 goto out; 1406 } 1407 1408 len = INITCONTEXTLEN; 1409 context = kmalloc(len+1, GFP_NOFS); 1410 if (!context) { 1411 rc = -ENOMEM; 1412 dput(dentry); 1413 goto out; 1414 } 1415 context[len] = '\0'; 1416 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1417 if (rc == -ERANGE) { 1418 kfree(context); 1419 1420 /* Need a larger buffer. Query for the right size. */ 1421 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1422 if (rc < 0) { 1423 dput(dentry); 1424 goto out; 1425 } 1426 len = rc; 1427 context = kmalloc(len+1, GFP_NOFS); 1428 if (!context) { 1429 rc = -ENOMEM; 1430 dput(dentry); 1431 goto out; 1432 } 1433 context[len] = '\0'; 1434 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1435 } 1436 dput(dentry); 1437 if (rc < 0) { 1438 if (rc != -ENODATA) { 1439 pr_warn("SELinux: %s: getxattr returned " 1440 "%d for dev=%s ino=%ld\n", __func__, 1441 -rc, inode->i_sb->s_id, inode->i_ino); 1442 kfree(context); 1443 goto out; 1444 } 1445 /* Map ENODATA to the default file SID */ 1446 sid = sbsec->def_sid; 1447 rc = 0; 1448 } else { 1449 rc = security_context_to_sid_default(&selinux_state, 1450 context, rc, &sid, 1451 sbsec->def_sid, 1452 GFP_NOFS); 1453 if (rc) { 1454 char *dev = inode->i_sb->s_id; 1455 unsigned long ino = inode->i_ino; 1456 1457 if (rc == -EINVAL) { 1458 if (printk_ratelimit()) 1459 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid " 1460 "context=%s. This indicates you may need to relabel the inode or the " 1461 "filesystem in question.\n", ino, dev, context); 1462 } else { 1463 pr_warn("SELinux: %s: context_to_sid(%s) " 1464 "returned %d for dev=%s ino=%ld\n", 1465 __func__, context, -rc, dev, ino); 1466 } 1467 kfree(context); 1468 /* Leave with the unlabeled SID */ 1469 rc = 0; 1470 break; 1471 } 1472 } 1473 kfree(context); 1474 break; 1475 case SECURITY_FS_USE_TASK: 1476 sid = task_sid; 1477 break; 1478 case SECURITY_FS_USE_TRANS: 1479 /* Default to the fs SID. */ 1480 sid = sbsec->sid; 1481 1482 /* Try to obtain a transition SID. */ 1483 rc = security_transition_sid(&selinux_state, task_sid, sid, 1484 sclass, NULL, &sid); 1485 if (rc) 1486 goto out; 1487 break; 1488 case SECURITY_FS_USE_MNTPOINT: 1489 sid = sbsec->mntpoint_sid; 1490 break; 1491 default: 1492 /* Default to the fs superblock SID. */ 1493 sid = sbsec->sid; 1494 1495 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1496 /* We must have a dentry to determine the label on 1497 * procfs inodes */ 1498 if (opt_dentry) { 1499 /* Called from d_instantiate or 1500 * d_splice_alias. */ 1501 dentry = dget(opt_dentry); 1502 } else { 1503 /* Called from selinux_complete_init, try to 1504 * find a dentry. Some filesystems really want 1505 * a connected one, so try that first. 1506 */ 1507 dentry = d_find_alias(inode); 1508 if (!dentry) 1509 dentry = d_find_any_alias(inode); 1510 } 1511 /* 1512 * This can be hit on boot when a file is accessed 1513 * before the policy is loaded. When we load policy we 1514 * may find inodes that have no dentry on the 1515 * sbsec->isec_head list. No reason to complain as 1516 * these will get fixed up the next time we go through 1517 * inode_doinit() with a dentry, before these inodes 1518 * could be used again by userspace. 1519 */ 1520 if (!dentry) 1521 goto out; 1522 rc = selinux_genfs_get_sid(dentry, sclass, 1523 sbsec->flags, &sid); 1524 dput(dentry); 1525 if (rc) 1526 goto out; 1527 } 1528 break; 1529 } 1530 1531 out: 1532 spin_lock(&isec->lock); 1533 if (isec->initialized == LABEL_PENDING) { 1534 if (!sid || rc) { 1535 isec->initialized = LABEL_INVALID; 1536 goto out_unlock; 1537 } 1538 1539 isec->initialized = LABEL_INITIALIZED; 1540 isec->sid = sid; 1541 } 1542 1543 out_unlock: 1544 spin_unlock(&isec->lock); 1545 return rc; 1546 } 1547 1548 /* Convert a Linux signal to an access vector. */ 1549 static inline u32 signal_to_av(int sig) 1550 { 1551 u32 perm = 0; 1552 1553 switch (sig) { 1554 case SIGCHLD: 1555 /* Commonly granted from child to parent. */ 1556 perm = PROCESS__SIGCHLD; 1557 break; 1558 case SIGKILL: 1559 /* Cannot be caught or ignored */ 1560 perm = PROCESS__SIGKILL; 1561 break; 1562 case SIGSTOP: 1563 /* Cannot be caught or ignored */ 1564 perm = PROCESS__SIGSTOP; 1565 break; 1566 default: 1567 /* All other signals. */ 1568 perm = PROCESS__SIGNAL; 1569 break; 1570 } 1571 1572 return perm; 1573 } 1574 1575 #if CAP_LAST_CAP > 63 1576 #error Fix SELinux to handle capabilities > 63. 1577 #endif 1578 1579 /* Check whether a task is allowed to use a capability. */ 1580 static int cred_has_capability(const struct cred *cred, 1581 int cap, unsigned int opts, bool initns) 1582 { 1583 struct common_audit_data ad; 1584 struct av_decision avd; 1585 u16 sclass; 1586 u32 sid = cred_sid(cred); 1587 u32 av = CAP_TO_MASK(cap); 1588 int rc; 1589 1590 ad.type = LSM_AUDIT_DATA_CAP; 1591 ad.u.cap = cap; 1592 1593 switch (CAP_TO_INDEX(cap)) { 1594 case 0: 1595 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1596 break; 1597 case 1: 1598 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1599 break; 1600 default: 1601 pr_err("SELinux: out of range capability %d\n", cap); 1602 BUG(); 1603 return -EINVAL; 1604 } 1605 1606 rc = avc_has_perm_noaudit(&selinux_state, 1607 sid, sid, sclass, av, 0, &avd); 1608 if (!(opts & CAP_OPT_NOAUDIT)) { 1609 int rc2 = avc_audit(&selinux_state, 1610 sid, sid, sclass, av, &avd, rc, &ad, 0); 1611 if (rc2) 1612 return rc2; 1613 } 1614 return rc; 1615 } 1616 1617 /* Check whether a task has a particular permission to an inode. 1618 The 'adp' parameter is optional and allows other audit 1619 data to be passed (e.g. the dentry). */ 1620 static int inode_has_perm(const struct cred *cred, 1621 struct inode *inode, 1622 u32 perms, 1623 struct common_audit_data *adp) 1624 { 1625 struct inode_security_struct *isec; 1626 u32 sid; 1627 1628 validate_creds(cred); 1629 1630 if (unlikely(IS_PRIVATE(inode))) 1631 return 0; 1632 1633 sid = cred_sid(cred); 1634 isec = selinux_inode(inode); 1635 1636 return avc_has_perm(&selinux_state, 1637 sid, isec->sid, isec->sclass, perms, adp); 1638 } 1639 1640 /* Same as inode_has_perm, but pass explicit audit data containing 1641 the dentry to help the auditing code to more easily generate the 1642 pathname if needed. */ 1643 static inline int dentry_has_perm(const struct cred *cred, 1644 struct dentry *dentry, 1645 u32 av) 1646 { 1647 struct inode *inode = d_backing_inode(dentry); 1648 struct common_audit_data ad; 1649 1650 ad.type = LSM_AUDIT_DATA_DENTRY; 1651 ad.u.dentry = dentry; 1652 __inode_security_revalidate(inode, dentry, true); 1653 return inode_has_perm(cred, inode, av, &ad); 1654 } 1655 1656 /* Same as inode_has_perm, but pass explicit audit data containing 1657 the path to help the auditing code to more easily generate the 1658 pathname if needed. */ 1659 static inline int path_has_perm(const struct cred *cred, 1660 const struct path *path, 1661 u32 av) 1662 { 1663 struct inode *inode = d_backing_inode(path->dentry); 1664 struct common_audit_data ad; 1665 1666 ad.type = LSM_AUDIT_DATA_PATH; 1667 ad.u.path = *path; 1668 __inode_security_revalidate(inode, path->dentry, true); 1669 return inode_has_perm(cred, inode, av, &ad); 1670 } 1671 1672 /* Same as path_has_perm, but uses the inode from the file struct. */ 1673 static inline int file_path_has_perm(const struct cred *cred, 1674 struct file *file, 1675 u32 av) 1676 { 1677 struct common_audit_data ad; 1678 1679 ad.type = LSM_AUDIT_DATA_FILE; 1680 ad.u.file = file; 1681 return inode_has_perm(cred, file_inode(file), av, &ad); 1682 } 1683 1684 #ifdef CONFIG_BPF_SYSCALL 1685 static int bpf_fd_pass(struct file *file, u32 sid); 1686 #endif 1687 1688 /* Check whether a task can use an open file descriptor to 1689 access an inode in a given way. Check access to the 1690 descriptor itself, and then use dentry_has_perm to 1691 check a particular permission to the file. 1692 Access to the descriptor is implicitly granted if it 1693 has the same SID as the process. If av is zero, then 1694 access to the file is not checked, e.g. for cases 1695 where only the descriptor is affected like seek. */ 1696 static int file_has_perm(const struct cred *cred, 1697 struct file *file, 1698 u32 av) 1699 { 1700 struct file_security_struct *fsec = selinux_file(file); 1701 struct inode *inode = file_inode(file); 1702 struct common_audit_data ad; 1703 u32 sid = cred_sid(cred); 1704 int rc; 1705 1706 ad.type = LSM_AUDIT_DATA_FILE; 1707 ad.u.file = file; 1708 1709 if (sid != fsec->sid) { 1710 rc = avc_has_perm(&selinux_state, 1711 sid, fsec->sid, 1712 SECCLASS_FD, 1713 FD__USE, 1714 &ad); 1715 if (rc) 1716 goto out; 1717 } 1718 1719 #ifdef CONFIG_BPF_SYSCALL 1720 rc = bpf_fd_pass(file, cred_sid(cred)); 1721 if (rc) 1722 return rc; 1723 #endif 1724 1725 /* av is zero if only checking access to the descriptor. */ 1726 rc = 0; 1727 if (av) 1728 rc = inode_has_perm(cred, inode, av, &ad); 1729 1730 out: 1731 return rc; 1732 } 1733 1734 /* 1735 * Determine the label for an inode that might be unioned. 1736 */ 1737 static int 1738 selinux_determine_inode_label(const struct task_security_struct *tsec, 1739 struct inode *dir, 1740 const struct qstr *name, u16 tclass, 1741 u32 *_new_isid) 1742 { 1743 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1744 1745 if ((sbsec->flags & SE_SBINITIALIZED) && 1746 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1747 *_new_isid = sbsec->mntpoint_sid; 1748 } else if ((sbsec->flags & SBLABEL_MNT) && 1749 tsec->create_sid) { 1750 *_new_isid = tsec->create_sid; 1751 } else { 1752 const struct inode_security_struct *dsec = inode_security(dir); 1753 return security_transition_sid(&selinux_state, tsec->sid, 1754 dsec->sid, tclass, 1755 name, _new_isid); 1756 } 1757 1758 return 0; 1759 } 1760 1761 /* Check whether a task can create a file. */ 1762 static int may_create(struct inode *dir, 1763 struct dentry *dentry, 1764 u16 tclass) 1765 { 1766 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1767 struct inode_security_struct *dsec; 1768 struct superblock_security_struct *sbsec; 1769 u32 sid, newsid; 1770 struct common_audit_data ad; 1771 int rc; 1772 1773 dsec = inode_security(dir); 1774 sbsec = dir->i_sb->s_security; 1775 1776 sid = tsec->sid; 1777 1778 ad.type = LSM_AUDIT_DATA_DENTRY; 1779 ad.u.dentry = dentry; 1780 1781 rc = avc_has_perm(&selinux_state, 1782 sid, dsec->sid, SECCLASS_DIR, 1783 DIR__ADD_NAME | DIR__SEARCH, 1784 &ad); 1785 if (rc) 1786 return rc; 1787 1788 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir, 1789 &dentry->d_name, tclass, &newsid); 1790 if (rc) 1791 return rc; 1792 1793 rc = avc_has_perm(&selinux_state, 1794 sid, newsid, tclass, FILE__CREATE, &ad); 1795 if (rc) 1796 return rc; 1797 1798 return avc_has_perm(&selinux_state, 1799 newsid, sbsec->sid, 1800 SECCLASS_FILESYSTEM, 1801 FILESYSTEM__ASSOCIATE, &ad); 1802 } 1803 1804 #define MAY_LINK 0 1805 #define MAY_UNLINK 1 1806 #define MAY_RMDIR 2 1807 1808 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1809 static int may_link(struct inode *dir, 1810 struct dentry *dentry, 1811 int kind) 1812 1813 { 1814 struct inode_security_struct *dsec, *isec; 1815 struct common_audit_data ad; 1816 u32 sid = current_sid(); 1817 u32 av; 1818 int rc; 1819 1820 dsec = inode_security(dir); 1821 isec = backing_inode_security(dentry); 1822 1823 ad.type = LSM_AUDIT_DATA_DENTRY; 1824 ad.u.dentry = dentry; 1825 1826 av = DIR__SEARCH; 1827 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1828 rc = avc_has_perm(&selinux_state, 1829 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1830 if (rc) 1831 return rc; 1832 1833 switch (kind) { 1834 case MAY_LINK: 1835 av = FILE__LINK; 1836 break; 1837 case MAY_UNLINK: 1838 av = FILE__UNLINK; 1839 break; 1840 case MAY_RMDIR: 1841 av = DIR__RMDIR; 1842 break; 1843 default: 1844 pr_warn("SELinux: %s: unrecognized kind %d\n", 1845 __func__, kind); 1846 return 0; 1847 } 1848 1849 rc = avc_has_perm(&selinux_state, 1850 sid, isec->sid, isec->sclass, av, &ad); 1851 return rc; 1852 } 1853 1854 static inline int may_rename(struct inode *old_dir, 1855 struct dentry *old_dentry, 1856 struct inode *new_dir, 1857 struct dentry *new_dentry) 1858 { 1859 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1860 struct common_audit_data ad; 1861 u32 sid = current_sid(); 1862 u32 av; 1863 int old_is_dir, new_is_dir; 1864 int rc; 1865 1866 old_dsec = inode_security(old_dir); 1867 old_isec = backing_inode_security(old_dentry); 1868 old_is_dir = d_is_dir(old_dentry); 1869 new_dsec = inode_security(new_dir); 1870 1871 ad.type = LSM_AUDIT_DATA_DENTRY; 1872 1873 ad.u.dentry = old_dentry; 1874 rc = avc_has_perm(&selinux_state, 1875 sid, old_dsec->sid, SECCLASS_DIR, 1876 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1877 if (rc) 1878 return rc; 1879 rc = avc_has_perm(&selinux_state, 1880 sid, old_isec->sid, 1881 old_isec->sclass, FILE__RENAME, &ad); 1882 if (rc) 1883 return rc; 1884 if (old_is_dir && new_dir != old_dir) { 1885 rc = avc_has_perm(&selinux_state, 1886 sid, old_isec->sid, 1887 old_isec->sclass, DIR__REPARENT, &ad); 1888 if (rc) 1889 return rc; 1890 } 1891 1892 ad.u.dentry = new_dentry; 1893 av = DIR__ADD_NAME | DIR__SEARCH; 1894 if (d_is_positive(new_dentry)) 1895 av |= DIR__REMOVE_NAME; 1896 rc = avc_has_perm(&selinux_state, 1897 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1898 if (rc) 1899 return rc; 1900 if (d_is_positive(new_dentry)) { 1901 new_isec = backing_inode_security(new_dentry); 1902 new_is_dir = d_is_dir(new_dentry); 1903 rc = avc_has_perm(&selinux_state, 1904 sid, new_isec->sid, 1905 new_isec->sclass, 1906 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1907 if (rc) 1908 return rc; 1909 } 1910 1911 return 0; 1912 } 1913 1914 /* Check whether a task can perform a filesystem operation. */ 1915 static int superblock_has_perm(const struct cred *cred, 1916 struct super_block *sb, 1917 u32 perms, 1918 struct common_audit_data *ad) 1919 { 1920 struct superblock_security_struct *sbsec; 1921 u32 sid = cred_sid(cred); 1922 1923 sbsec = sb->s_security; 1924 return avc_has_perm(&selinux_state, 1925 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1926 } 1927 1928 /* Convert a Linux mode and permission mask to an access vector. */ 1929 static inline u32 file_mask_to_av(int mode, int mask) 1930 { 1931 u32 av = 0; 1932 1933 if (!S_ISDIR(mode)) { 1934 if (mask & MAY_EXEC) 1935 av |= FILE__EXECUTE; 1936 if (mask & MAY_READ) 1937 av |= FILE__READ; 1938 1939 if (mask & MAY_APPEND) 1940 av |= FILE__APPEND; 1941 else if (mask & MAY_WRITE) 1942 av |= FILE__WRITE; 1943 1944 } else { 1945 if (mask & MAY_EXEC) 1946 av |= DIR__SEARCH; 1947 if (mask & MAY_WRITE) 1948 av |= DIR__WRITE; 1949 if (mask & MAY_READ) 1950 av |= DIR__READ; 1951 } 1952 1953 return av; 1954 } 1955 1956 /* Convert a Linux file to an access vector. */ 1957 static inline u32 file_to_av(struct file *file) 1958 { 1959 u32 av = 0; 1960 1961 if (file->f_mode & FMODE_READ) 1962 av |= FILE__READ; 1963 if (file->f_mode & FMODE_WRITE) { 1964 if (file->f_flags & O_APPEND) 1965 av |= FILE__APPEND; 1966 else 1967 av |= FILE__WRITE; 1968 } 1969 if (!av) { 1970 /* 1971 * Special file opened with flags 3 for ioctl-only use. 1972 */ 1973 av = FILE__IOCTL; 1974 } 1975 1976 return av; 1977 } 1978 1979 /* 1980 * Convert a file to an access vector and include the correct open 1981 * open permission. 1982 */ 1983 static inline u32 open_file_to_av(struct file *file) 1984 { 1985 u32 av = file_to_av(file); 1986 struct inode *inode = file_inode(file); 1987 1988 if (selinux_policycap_openperm() && 1989 inode->i_sb->s_magic != SOCKFS_MAGIC) 1990 av |= FILE__OPEN; 1991 1992 return av; 1993 } 1994 1995 /* Hook functions begin here. */ 1996 1997 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 1998 { 1999 u32 mysid = current_sid(); 2000 u32 mgrsid = task_sid(mgr); 2001 2002 return avc_has_perm(&selinux_state, 2003 mysid, mgrsid, SECCLASS_BINDER, 2004 BINDER__SET_CONTEXT_MGR, NULL); 2005 } 2006 2007 static int selinux_binder_transaction(struct task_struct *from, 2008 struct task_struct *to) 2009 { 2010 u32 mysid = current_sid(); 2011 u32 fromsid = task_sid(from); 2012 u32 tosid = task_sid(to); 2013 int rc; 2014 2015 if (mysid != fromsid) { 2016 rc = avc_has_perm(&selinux_state, 2017 mysid, fromsid, SECCLASS_BINDER, 2018 BINDER__IMPERSONATE, NULL); 2019 if (rc) 2020 return rc; 2021 } 2022 2023 return avc_has_perm(&selinux_state, 2024 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2025 NULL); 2026 } 2027 2028 static int selinux_binder_transfer_binder(struct task_struct *from, 2029 struct task_struct *to) 2030 { 2031 u32 fromsid = task_sid(from); 2032 u32 tosid = task_sid(to); 2033 2034 return avc_has_perm(&selinux_state, 2035 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2036 NULL); 2037 } 2038 2039 static int selinux_binder_transfer_file(struct task_struct *from, 2040 struct task_struct *to, 2041 struct file *file) 2042 { 2043 u32 sid = task_sid(to); 2044 struct file_security_struct *fsec = selinux_file(file); 2045 struct dentry *dentry = file->f_path.dentry; 2046 struct inode_security_struct *isec; 2047 struct common_audit_data ad; 2048 int rc; 2049 2050 ad.type = LSM_AUDIT_DATA_PATH; 2051 ad.u.path = file->f_path; 2052 2053 if (sid != fsec->sid) { 2054 rc = avc_has_perm(&selinux_state, 2055 sid, fsec->sid, 2056 SECCLASS_FD, 2057 FD__USE, 2058 &ad); 2059 if (rc) 2060 return rc; 2061 } 2062 2063 #ifdef CONFIG_BPF_SYSCALL 2064 rc = bpf_fd_pass(file, sid); 2065 if (rc) 2066 return rc; 2067 #endif 2068 2069 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2070 return 0; 2071 2072 isec = backing_inode_security(dentry); 2073 return avc_has_perm(&selinux_state, 2074 sid, isec->sid, isec->sclass, file_to_av(file), 2075 &ad); 2076 } 2077 2078 static int selinux_ptrace_access_check(struct task_struct *child, 2079 unsigned int mode) 2080 { 2081 u32 sid = current_sid(); 2082 u32 csid = task_sid(child); 2083 2084 if (mode & PTRACE_MODE_READ) 2085 return avc_has_perm(&selinux_state, 2086 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2087 2088 return avc_has_perm(&selinux_state, 2089 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2090 } 2091 2092 static int selinux_ptrace_traceme(struct task_struct *parent) 2093 { 2094 return avc_has_perm(&selinux_state, 2095 task_sid(parent), current_sid(), SECCLASS_PROCESS, 2096 PROCESS__PTRACE, NULL); 2097 } 2098 2099 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2100 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2101 { 2102 return avc_has_perm(&selinux_state, 2103 current_sid(), task_sid(target), SECCLASS_PROCESS, 2104 PROCESS__GETCAP, NULL); 2105 } 2106 2107 static int selinux_capset(struct cred *new, const struct cred *old, 2108 const kernel_cap_t *effective, 2109 const kernel_cap_t *inheritable, 2110 const kernel_cap_t *permitted) 2111 { 2112 return avc_has_perm(&selinux_state, 2113 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2114 PROCESS__SETCAP, NULL); 2115 } 2116 2117 /* 2118 * (This comment used to live with the selinux_task_setuid hook, 2119 * which was removed). 2120 * 2121 * Since setuid only affects the current process, and since the SELinux 2122 * controls are not based on the Linux identity attributes, SELinux does not 2123 * need to control this operation. However, SELinux does control the use of 2124 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2125 */ 2126 2127 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2128 int cap, unsigned int opts) 2129 { 2130 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2131 } 2132 2133 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2134 { 2135 const struct cred *cred = current_cred(); 2136 int rc = 0; 2137 2138 if (!sb) 2139 return 0; 2140 2141 switch (cmds) { 2142 case Q_SYNC: 2143 case Q_QUOTAON: 2144 case Q_QUOTAOFF: 2145 case Q_SETINFO: 2146 case Q_SETQUOTA: 2147 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2148 break; 2149 case Q_GETFMT: 2150 case Q_GETINFO: 2151 case Q_GETQUOTA: 2152 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2153 break; 2154 default: 2155 rc = 0; /* let the kernel handle invalid cmds */ 2156 break; 2157 } 2158 return rc; 2159 } 2160 2161 static int selinux_quota_on(struct dentry *dentry) 2162 { 2163 const struct cred *cred = current_cred(); 2164 2165 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2166 } 2167 2168 static int selinux_syslog(int type) 2169 { 2170 switch (type) { 2171 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2172 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2173 return avc_has_perm(&selinux_state, 2174 current_sid(), SECINITSID_KERNEL, 2175 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2176 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2177 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2178 /* Set level of messages printed to console */ 2179 case SYSLOG_ACTION_CONSOLE_LEVEL: 2180 return avc_has_perm(&selinux_state, 2181 current_sid(), SECINITSID_KERNEL, 2182 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2183 NULL); 2184 } 2185 /* All other syslog types */ 2186 return avc_has_perm(&selinux_state, 2187 current_sid(), SECINITSID_KERNEL, 2188 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2189 } 2190 2191 /* 2192 * Check that a process has enough memory to allocate a new virtual 2193 * mapping. 0 means there is enough memory for the allocation to 2194 * succeed and -ENOMEM implies there is not. 2195 * 2196 * Do not audit the selinux permission check, as this is applied to all 2197 * processes that allocate mappings. 2198 */ 2199 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2200 { 2201 int rc, cap_sys_admin = 0; 2202 2203 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2204 CAP_OPT_NOAUDIT, true); 2205 if (rc == 0) 2206 cap_sys_admin = 1; 2207 2208 return cap_sys_admin; 2209 } 2210 2211 /* binprm security operations */ 2212 2213 static u32 ptrace_parent_sid(void) 2214 { 2215 u32 sid = 0; 2216 struct task_struct *tracer; 2217 2218 rcu_read_lock(); 2219 tracer = ptrace_parent(current); 2220 if (tracer) 2221 sid = task_sid(tracer); 2222 rcu_read_unlock(); 2223 2224 return sid; 2225 } 2226 2227 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2228 const struct task_security_struct *old_tsec, 2229 const struct task_security_struct *new_tsec) 2230 { 2231 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2232 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2233 int rc; 2234 u32 av; 2235 2236 if (!nnp && !nosuid) 2237 return 0; /* neither NNP nor nosuid */ 2238 2239 if (new_tsec->sid == old_tsec->sid) 2240 return 0; /* No change in credentials */ 2241 2242 /* 2243 * If the policy enables the nnp_nosuid_transition policy capability, 2244 * then we permit transitions under NNP or nosuid if the 2245 * policy allows the corresponding permission between 2246 * the old and new contexts. 2247 */ 2248 if (selinux_policycap_nnp_nosuid_transition()) { 2249 av = 0; 2250 if (nnp) 2251 av |= PROCESS2__NNP_TRANSITION; 2252 if (nosuid) 2253 av |= PROCESS2__NOSUID_TRANSITION; 2254 rc = avc_has_perm(&selinux_state, 2255 old_tsec->sid, new_tsec->sid, 2256 SECCLASS_PROCESS2, av, NULL); 2257 if (!rc) 2258 return 0; 2259 } 2260 2261 /* 2262 * We also permit NNP or nosuid transitions to bounded SIDs, 2263 * i.e. SIDs that are guaranteed to only be allowed a subset 2264 * of the permissions of the current SID. 2265 */ 2266 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2267 new_tsec->sid); 2268 if (!rc) 2269 return 0; 2270 2271 /* 2272 * On failure, preserve the errno values for NNP vs nosuid. 2273 * NNP: Operation not permitted for caller. 2274 * nosuid: Permission denied to file. 2275 */ 2276 if (nnp) 2277 return -EPERM; 2278 return -EACCES; 2279 } 2280 2281 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2282 { 2283 const struct task_security_struct *old_tsec; 2284 struct task_security_struct *new_tsec; 2285 struct inode_security_struct *isec; 2286 struct common_audit_data ad; 2287 struct inode *inode = file_inode(bprm->file); 2288 int rc; 2289 2290 /* SELinux context only depends on initial program or script and not 2291 * the script interpreter */ 2292 if (bprm->called_set_creds) 2293 return 0; 2294 2295 old_tsec = selinux_cred(current_cred()); 2296 new_tsec = selinux_cred(bprm->cred); 2297 isec = inode_security(inode); 2298 2299 /* Default to the current task SID. */ 2300 new_tsec->sid = old_tsec->sid; 2301 new_tsec->osid = old_tsec->sid; 2302 2303 /* Reset fs, key, and sock SIDs on execve. */ 2304 new_tsec->create_sid = 0; 2305 new_tsec->keycreate_sid = 0; 2306 new_tsec->sockcreate_sid = 0; 2307 2308 if (old_tsec->exec_sid) { 2309 new_tsec->sid = old_tsec->exec_sid; 2310 /* Reset exec SID on execve. */ 2311 new_tsec->exec_sid = 0; 2312 2313 /* Fail on NNP or nosuid if not an allowed transition. */ 2314 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2315 if (rc) 2316 return rc; 2317 } else { 2318 /* Check for a default transition on this program. */ 2319 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2320 isec->sid, SECCLASS_PROCESS, NULL, 2321 &new_tsec->sid); 2322 if (rc) 2323 return rc; 2324 2325 /* 2326 * Fallback to old SID on NNP or nosuid if not an allowed 2327 * transition. 2328 */ 2329 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2330 if (rc) 2331 new_tsec->sid = old_tsec->sid; 2332 } 2333 2334 ad.type = LSM_AUDIT_DATA_FILE; 2335 ad.u.file = bprm->file; 2336 2337 if (new_tsec->sid == old_tsec->sid) { 2338 rc = avc_has_perm(&selinux_state, 2339 old_tsec->sid, isec->sid, 2340 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2341 if (rc) 2342 return rc; 2343 } else { 2344 /* Check permissions for the transition. */ 2345 rc = avc_has_perm(&selinux_state, 2346 old_tsec->sid, new_tsec->sid, 2347 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2348 if (rc) 2349 return rc; 2350 2351 rc = avc_has_perm(&selinux_state, 2352 new_tsec->sid, isec->sid, 2353 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2354 if (rc) 2355 return rc; 2356 2357 /* Check for shared state */ 2358 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2359 rc = avc_has_perm(&selinux_state, 2360 old_tsec->sid, new_tsec->sid, 2361 SECCLASS_PROCESS, PROCESS__SHARE, 2362 NULL); 2363 if (rc) 2364 return -EPERM; 2365 } 2366 2367 /* Make sure that anyone attempting to ptrace over a task that 2368 * changes its SID has the appropriate permit */ 2369 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2370 u32 ptsid = ptrace_parent_sid(); 2371 if (ptsid != 0) { 2372 rc = avc_has_perm(&selinux_state, 2373 ptsid, new_tsec->sid, 2374 SECCLASS_PROCESS, 2375 PROCESS__PTRACE, NULL); 2376 if (rc) 2377 return -EPERM; 2378 } 2379 } 2380 2381 /* Clear any possibly unsafe personality bits on exec: */ 2382 bprm->per_clear |= PER_CLEAR_ON_SETID; 2383 2384 /* Enable secure mode for SIDs transitions unless 2385 the noatsecure permission is granted between 2386 the two SIDs, i.e. ahp returns 0. */ 2387 rc = avc_has_perm(&selinux_state, 2388 old_tsec->sid, new_tsec->sid, 2389 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2390 NULL); 2391 bprm->secureexec |= !!rc; 2392 } 2393 2394 return 0; 2395 } 2396 2397 static int match_file(const void *p, struct file *file, unsigned fd) 2398 { 2399 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2400 } 2401 2402 /* Derived from fs/exec.c:flush_old_files. */ 2403 static inline void flush_unauthorized_files(const struct cred *cred, 2404 struct files_struct *files) 2405 { 2406 struct file *file, *devnull = NULL; 2407 struct tty_struct *tty; 2408 int drop_tty = 0; 2409 unsigned n; 2410 2411 tty = get_current_tty(); 2412 if (tty) { 2413 spin_lock(&tty->files_lock); 2414 if (!list_empty(&tty->tty_files)) { 2415 struct tty_file_private *file_priv; 2416 2417 /* Revalidate access to controlling tty. 2418 Use file_path_has_perm on the tty path directly 2419 rather than using file_has_perm, as this particular 2420 open file may belong to another process and we are 2421 only interested in the inode-based check here. */ 2422 file_priv = list_first_entry(&tty->tty_files, 2423 struct tty_file_private, list); 2424 file = file_priv->file; 2425 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2426 drop_tty = 1; 2427 } 2428 spin_unlock(&tty->files_lock); 2429 tty_kref_put(tty); 2430 } 2431 /* Reset controlling tty. */ 2432 if (drop_tty) 2433 no_tty(); 2434 2435 /* Revalidate access to inherited open files. */ 2436 n = iterate_fd(files, 0, match_file, cred); 2437 if (!n) /* none found? */ 2438 return; 2439 2440 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2441 if (IS_ERR(devnull)) 2442 devnull = NULL; 2443 /* replace all the matching ones with this */ 2444 do { 2445 replace_fd(n - 1, devnull, 0); 2446 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2447 if (devnull) 2448 fput(devnull); 2449 } 2450 2451 /* 2452 * Prepare a process for imminent new credential changes due to exec 2453 */ 2454 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2455 { 2456 struct task_security_struct *new_tsec; 2457 struct rlimit *rlim, *initrlim; 2458 int rc, i; 2459 2460 new_tsec = selinux_cred(bprm->cred); 2461 if (new_tsec->sid == new_tsec->osid) 2462 return; 2463 2464 /* Close files for which the new task SID is not authorized. */ 2465 flush_unauthorized_files(bprm->cred, current->files); 2466 2467 /* Always clear parent death signal on SID transitions. */ 2468 current->pdeath_signal = 0; 2469 2470 /* Check whether the new SID can inherit resource limits from the old 2471 * SID. If not, reset all soft limits to the lower of the current 2472 * task's hard limit and the init task's soft limit. 2473 * 2474 * Note that the setting of hard limits (even to lower them) can be 2475 * controlled by the setrlimit check. The inclusion of the init task's 2476 * soft limit into the computation is to avoid resetting soft limits 2477 * higher than the default soft limit for cases where the default is 2478 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2479 */ 2480 rc = avc_has_perm(&selinux_state, 2481 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2482 PROCESS__RLIMITINH, NULL); 2483 if (rc) { 2484 /* protect against do_prlimit() */ 2485 task_lock(current); 2486 for (i = 0; i < RLIM_NLIMITS; i++) { 2487 rlim = current->signal->rlim + i; 2488 initrlim = init_task.signal->rlim + i; 2489 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2490 } 2491 task_unlock(current); 2492 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2493 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2494 } 2495 } 2496 2497 /* 2498 * Clean up the process immediately after the installation of new credentials 2499 * due to exec 2500 */ 2501 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2502 { 2503 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2504 struct itimerval itimer; 2505 u32 osid, sid; 2506 int rc, i; 2507 2508 osid = tsec->osid; 2509 sid = tsec->sid; 2510 2511 if (sid == osid) 2512 return; 2513 2514 /* Check whether the new SID can inherit signal state from the old SID. 2515 * If not, clear itimers to avoid subsequent signal generation and 2516 * flush and unblock signals. 2517 * 2518 * This must occur _after_ the task SID has been updated so that any 2519 * kill done after the flush will be checked against the new SID. 2520 */ 2521 rc = avc_has_perm(&selinux_state, 2522 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2523 if (rc) { 2524 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2525 memset(&itimer, 0, sizeof itimer); 2526 for (i = 0; i < 3; i++) 2527 do_setitimer(i, &itimer, NULL); 2528 } 2529 spin_lock_irq(¤t->sighand->siglock); 2530 if (!fatal_signal_pending(current)) { 2531 flush_sigqueue(¤t->pending); 2532 flush_sigqueue(¤t->signal->shared_pending); 2533 flush_signal_handlers(current, 1); 2534 sigemptyset(¤t->blocked); 2535 recalc_sigpending(); 2536 } 2537 spin_unlock_irq(¤t->sighand->siglock); 2538 } 2539 2540 /* Wake up the parent if it is waiting so that it can recheck 2541 * wait permission to the new task SID. */ 2542 read_lock(&tasklist_lock); 2543 __wake_up_parent(current, current->real_parent); 2544 read_unlock(&tasklist_lock); 2545 } 2546 2547 /* superblock security operations */ 2548 2549 static int selinux_sb_alloc_security(struct super_block *sb) 2550 { 2551 return superblock_alloc_security(sb); 2552 } 2553 2554 static void selinux_sb_free_security(struct super_block *sb) 2555 { 2556 superblock_free_security(sb); 2557 } 2558 2559 static inline int opt_len(const char *s) 2560 { 2561 bool open_quote = false; 2562 int len; 2563 char c; 2564 2565 for (len = 0; (c = s[len]) != '\0'; len++) { 2566 if (c == '"') 2567 open_quote = !open_quote; 2568 if (c == ',' && !open_quote) 2569 break; 2570 } 2571 return len; 2572 } 2573 2574 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2575 { 2576 char *from = options; 2577 char *to = options; 2578 bool first = true; 2579 2580 while (1) { 2581 int len = opt_len(from); 2582 int token, rc; 2583 char *arg = NULL; 2584 2585 token = match_opt_prefix(from, len, &arg); 2586 2587 if (token != Opt_error) { 2588 char *p, *q; 2589 2590 /* strip quotes */ 2591 if (arg) { 2592 for (p = q = arg; p < from + len; p++) { 2593 char c = *p; 2594 if (c != '"') 2595 *q++ = c; 2596 } 2597 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2598 } 2599 rc = selinux_add_opt(token, arg, mnt_opts); 2600 if (unlikely(rc)) { 2601 kfree(arg); 2602 if (*mnt_opts) { 2603 selinux_free_mnt_opts(*mnt_opts); 2604 *mnt_opts = NULL; 2605 } 2606 return rc; 2607 } 2608 } else { 2609 if (!first) { // copy with preceding comma 2610 from--; 2611 len++; 2612 } 2613 if (to != from) 2614 memmove(to, from, len); 2615 to += len; 2616 first = false; 2617 } 2618 if (!from[len]) 2619 break; 2620 from += len + 1; 2621 } 2622 *to = '\0'; 2623 return 0; 2624 } 2625 2626 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2627 { 2628 struct selinux_mnt_opts *opts = mnt_opts; 2629 struct superblock_security_struct *sbsec = sb->s_security; 2630 u32 sid; 2631 int rc; 2632 2633 if (!(sbsec->flags & SE_SBINITIALIZED)) 2634 return 0; 2635 2636 if (!opts) 2637 return 0; 2638 2639 if (opts->fscontext) { 2640 rc = parse_sid(sb, opts->fscontext, &sid); 2641 if (rc) 2642 return rc; 2643 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2644 goto out_bad_option; 2645 } 2646 if (opts->context) { 2647 rc = parse_sid(sb, opts->context, &sid); 2648 if (rc) 2649 return rc; 2650 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2651 goto out_bad_option; 2652 } 2653 if (opts->rootcontext) { 2654 struct inode_security_struct *root_isec; 2655 root_isec = backing_inode_security(sb->s_root); 2656 rc = parse_sid(sb, opts->rootcontext, &sid); 2657 if (rc) 2658 return rc; 2659 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2660 goto out_bad_option; 2661 } 2662 if (opts->defcontext) { 2663 rc = parse_sid(sb, opts->defcontext, &sid); 2664 if (rc) 2665 return rc; 2666 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2667 goto out_bad_option; 2668 } 2669 return 0; 2670 2671 out_bad_option: 2672 pr_warn("SELinux: unable to change security options " 2673 "during remount (dev %s, type=%s)\n", sb->s_id, 2674 sb->s_type->name); 2675 return -EINVAL; 2676 } 2677 2678 static int selinux_sb_kern_mount(struct super_block *sb) 2679 { 2680 const struct cred *cred = current_cred(); 2681 struct common_audit_data ad; 2682 2683 ad.type = LSM_AUDIT_DATA_DENTRY; 2684 ad.u.dentry = sb->s_root; 2685 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2686 } 2687 2688 static int selinux_sb_statfs(struct dentry *dentry) 2689 { 2690 const struct cred *cred = current_cred(); 2691 struct common_audit_data ad; 2692 2693 ad.type = LSM_AUDIT_DATA_DENTRY; 2694 ad.u.dentry = dentry->d_sb->s_root; 2695 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2696 } 2697 2698 static int selinux_mount(const char *dev_name, 2699 const struct path *path, 2700 const char *type, 2701 unsigned long flags, 2702 void *data) 2703 { 2704 const struct cred *cred = current_cred(); 2705 2706 if (flags & MS_REMOUNT) 2707 return superblock_has_perm(cred, path->dentry->d_sb, 2708 FILESYSTEM__REMOUNT, NULL); 2709 else 2710 return path_has_perm(cred, path, FILE__MOUNTON); 2711 } 2712 2713 static int selinux_umount(struct vfsmount *mnt, int flags) 2714 { 2715 const struct cred *cred = current_cred(); 2716 2717 return superblock_has_perm(cred, mnt->mnt_sb, 2718 FILESYSTEM__UNMOUNT, NULL); 2719 } 2720 2721 /* inode security operations */ 2722 2723 static int selinux_inode_alloc_security(struct inode *inode) 2724 { 2725 return inode_alloc_security(inode); 2726 } 2727 2728 static void selinux_inode_free_security(struct inode *inode) 2729 { 2730 inode_free_security(inode); 2731 } 2732 2733 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2734 const struct qstr *name, void **ctx, 2735 u32 *ctxlen) 2736 { 2737 u32 newsid; 2738 int rc; 2739 2740 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2741 d_inode(dentry->d_parent), name, 2742 inode_mode_to_security_class(mode), 2743 &newsid); 2744 if (rc) 2745 return rc; 2746 2747 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2748 ctxlen); 2749 } 2750 2751 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2752 struct qstr *name, 2753 const struct cred *old, 2754 struct cred *new) 2755 { 2756 u32 newsid; 2757 int rc; 2758 struct task_security_struct *tsec; 2759 2760 rc = selinux_determine_inode_label(selinux_cred(old), 2761 d_inode(dentry->d_parent), name, 2762 inode_mode_to_security_class(mode), 2763 &newsid); 2764 if (rc) 2765 return rc; 2766 2767 tsec = selinux_cred(new); 2768 tsec->create_sid = newsid; 2769 return 0; 2770 } 2771 2772 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2773 const struct qstr *qstr, 2774 const char **name, 2775 void **value, size_t *len) 2776 { 2777 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2778 struct superblock_security_struct *sbsec; 2779 u32 newsid, clen; 2780 int rc; 2781 char *context; 2782 2783 sbsec = dir->i_sb->s_security; 2784 2785 newsid = tsec->create_sid; 2786 2787 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2788 dir, qstr, 2789 inode_mode_to_security_class(inode->i_mode), 2790 &newsid); 2791 if (rc) 2792 return rc; 2793 2794 /* Possibly defer initialization to selinux_complete_init. */ 2795 if (sbsec->flags & SE_SBINITIALIZED) { 2796 struct inode_security_struct *isec = selinux_inode(inode); 2797 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2798 isec->sid = newsid; 2799 isec->initialized = LABEL_INITIALIZED; 2800 } 2801 2802 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT)) 2803 return -EOPNOTSUPP; 2804 2805 if (name) 2806 *name = XATTR_SELINUX_SUFFIX; 2807 2808 if (value && len) { 2809 rc = security_sid_to_context_force(&selinux_state, newsid, 2810 &context, &clen); 2811 if (rc) 2812 return rc; 2813 *value = context; 2814 *len = clen; 2815 } 2816 2817 return 0; 2818 } 2819 2820 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2821 { 2822 return may_create(dir, dentry, SECCLASS_FILE); 2823 } 2824 2825 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2826 { 2827 return may_link(dir, old_dentry, MAY_LINK); 2828 } 2829 2830 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2831 { 2832 return may_link(dir, dentry, MAY_UNLINK); 2833 } 2834 2835 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2836 { 2837 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2838 } 2839 2840 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2841 { 2842 return may_create(dir, dentry, SECCLASS_DIR); 2843 } 2844 2845 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2846 { 2847 return may_link(dir, dentry, MAY_RMDIR); 2848 } 2849 2850 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2851 { 2852 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2853 } 2854 2855 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2856 struct inode *new_inode, struct dentry *new_dentry) 2857 { 2858 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2859 } 2860 2861 static int selinux_inode_readlink(struct dentry *dentry) 2862 { 2863 const struct cred *cred = current_cred(); 2864 2865 return dentry_has_perm(cred, dentry, FILE__READ); 2866 } 2867 2868 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2869 bool rcu) 2870 { 2871 const struct cred *cred = current_cred(); 2872 struct common_audit_data ad; 2873 struct inode_security_struct *isec; 2874 u32 sid; 2875 2876 validate_creds(cred); 2877 2878 ad.type = LSM_AUDIT_DATA_DENTRY; 2879 ad.u.dentry = dentry; 2880 sid = cred_sid(cred); 2881 isec = inode_security_rcu(inode, rcu); 2882 if (IS_ERR(isec)) 2883 return PTR_ERR(isec); 2884 2885 return avc_has_perm_flags(&selinux_state, 2886 sid, isec->sid, isec->sclass, FILE__READ, &ad, 2887 rcu ? MAY_NOT_BLOCK : 0); 2888 } 2889 2890 static noinline int audit_inode_permission(struct inode *inode, 2891 u32 perms, u32 audited, u32 denied, 2892 int result, 2893 unsigned flags) 2894 { 2895 struct common_audit_data ad; 2896 struct inode_security_struct *isec = selinux_inode(inode); 2897 int rc; 2898 2899 ad.type = LSM_AUDIT_DATA_INODE; 2900 ad.u.inode = inode; 2901 2902 rc = slow_avc_audit(&selinux_state, 2903 current_sid(), isec->sid, isec->sclass, perms, 2904 audited, denied, result, &ad, flags); 2905 if (rc) 2906 return rc; 2907 return 0; 2908 } 2909 2910 static int selinux_inode_permission(struct inode *inode, int mask) 2911 { 2912 const struct cred *cred = current_cred(); 2913 u32 perms; 2914 bool from_access; 2915 unsigned flags = mask & MAY_NOT_BLOCK; 2916 struct inode_security_struct *isec; 2917 u32 sid; 2918 struct av_decision avd; 2919 int rc, rc2; 2920 u32 audited, denied; 2921 2922 from_access = mask & MAY_ACCESS; 2923 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 2924 2925 /* No permission to check. Existence test. */ 2926 if (!mask) 2927 return 0; 2928 2929 validate_creds(cred); 2930 2931 if (unlikely(IS_PRIVATE(inode))) 2932 return 0; 2933 2934 perms = file_mask_to_av(inode->i_mode, mask); 2935 2936 sid = cred_sid(cred); 2937 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 2938 if (IS_ERR(isec)) 2939 return PTR_ERR(isec); 2940 2941 rc = avc_has_perm_noaudit(&selinux_state, 2942 sid, isec->sid, isec->sclass, perms, 0, &avd); 2943 audited = avc_audit_required(perms, &avd, rc, 2944 from_access ? FILE__AUDIT_ACCESS : 0, 2945 &denied); 2946 if (likely(!audited)) 2947 return rc; 2948 2949 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 2950 if (rc2) 2951 return rc2; 2952 return rc; 2953 } 2954 2955 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2956 { 2957 const struct cred *cred = current_cred(); 2958 struct inode *inode = d_backing_inode(dentry); 2959 unsigned int ia_valid = iattr->ia_valid; 2960 __u32 av = FILE__WRITE; 2961 2962 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 2963 if (ia_valid & ATTR_FORCE) { 2964 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 2965 ATTR_FORCE); 2966 if (!ia_valid) 2967 return 0; 2968 } 2969 2970 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 2971 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 2972 return dentry_has_perm(cred, dentry, FILE__SETATTR); 2973 2974 if (selinux_policycap_openperm() && 2975 inode->i_sb->s_magic != SOCKFS_MAGIC && 2976 (ia_valid & ATTR_SIZE) && 2977 !(ia_valid & ATTR_FILE)) 2978 av |= FILE__OPEN; 2979 2980 return dentry_has_perm(cred, dentry, av); 2981 } 2982 2983 static int selinux_inode_getattr(const struct path *path) 2984 { 2985 return path_has_perm(current_cred(), path, FILE__GETATTR); 2986 } 2987 2988 static bool has_cap_mac_admin(bool audit) 2989 { 2990 const struct cred *cred = current_cred(); 2991 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 2992 2993 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 2994 return false; 2995 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 2996 return false; 2997 return true; 2998 } 2999 3000 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3001 const void *value, size_t size, int flags) 3002 { 3003 struct inode *inode = d_backing_inode(dentry); 3004 struct inode_security_struct *isec; 3005 struct superblock_security_struct *sbsec; 3006 struct common_audit_data ad; 3007 u32 newsid, sid = current_sid(); 3008 int rc = 0; 3009 3010 if (strcmp(name, XATTR_NAME_SELINUX)) { 3011 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3012 if (rc) 3013 return rc; 3014 3015 /* Not an attribute we recognize, so just check the 3016 ordinary setattr permission. */ 3017 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3018 } 3019 3020 sbsec = inode->i_sb->s_security; 3021 if (!(sbsec->flags & SBLABEL_MNT)) 3022 return -EOPNOTSUPP; 3023 3024 if (!inode_owner_or_capable(inode)) 3025 return -EPERM; 3026 3027 ad.type = LSM_AUDIT_DATA_DENTRY; 3028 ad.u.dentry = dentry; 3029 3030 isec = backing_inode_security(dentry); 3031 rc = avc_has_perm(&selinux_state, 3032 sid, isec->sid, isec->sclass, 3033 FILE__RELABELFROM, &ad); 3034 if (rc) 3035 return rc; 3036 3037 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3038 GFP_KERNEL); 3039 if (rc == -EINVAL) { 3040 if (!has_cap_mac_admin(true)) { 3041 struct audit_buffer *ab; 3042 size_t audit_size; 3043 3044 /* We strip a nul only if it is at the end, otherwise the 3045 * context contains a nul and we should audit that */ 3046 if (value) { 3047 const char *str = value; 3048 3049 if (str[size - 1] == '\0') 3050 audit_size = size - 1; 3051 else 3052 audit_size = size; 3053 } else { 3054 audit_size = 0; 3055 } 3056 ab = audit_log_start(audit_context(), 3057 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3058 audit_log_format(ab, "op=setxattr invalid_context="); 3059 audit_log_n_untrustedstring(ab, value, audit_size); 3060 audit_log_end(ab); 3061 3062 return rc; 3063 } 3064 rc = security_context_to_sid_force(&selinux_state, value, 3065 size, &newsid); 3066 } 3067 if (rc) 3068 return rc; 3069 3070 rc = avc_has_perm(&selinux_state, 3071 sid, newsid, isec->sclass, 3072 FILE__RELABELTO, &ad); 3073 if (rc) 3074 return rc; 3075 3076 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3077 sid, isec->sclass); 3078 if (rc) 3079 return rc; 3080 3081 return avc_has_perm(&selinux_state, 3082 newsid, 3083 sbsec->sid, 3084 SECCLASS_FILESYSTEM, 3085 FILESYSTEM__ASSOCIATE, 3086 &ad); 3087 } 3088 3089 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3090 const void *value, size_t size, 3091 int flags) 3092 { 3093 struct inode *inode = d_backing_inode(dentry); 3094 struct inode_security_struct *isec; 3095 u32 newsid; 3096 int rc; 3097 3098 if (strcmp(name, XATTR_NAME_SELINUX)) { 3099 /* Not an attribute we recognize, so nothing to do. */ 3100 return; 3101 } 3102 3103 rc = security_context_to_sid_force(&selinux_state, value, size, 3104 &newsid); 3105 if (rc) { 3106 pr_err("SELinux: unable to map context to SID" 3107 "for (%s, %lu), rc=%d\n", 3108 inode->i_sb->s_id, inode->i_ino, -rc); 3109 return; 3110 } 3111 3112 isec = backing_inode_security(dentry); 3113 spin_lock(&isec->lock); 3114 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3115 isec->sid = newsid; 3116 isec->initialized = LABEL_INITIALIZED; 3117 spin_unlock(&isec->lock); 3118 3119 return; 3120 } 3121 3122 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3123 { 3124 const struct cred *cred = current_cred(); 3125 3126 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3127 } 3128 3129 static int selinux_inode_listxattr(struct dentry *dentry) 3130 { 3131 const struct cred *cred = current_cred(); 3132 3133 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3134 } 3135 3136 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3137 { 3138 if (strcmp(name, XATTR_NAME_SELINUX)) { 3139 int rc = cap_inode_removexattr(dentry, name); 3140 if (rc) 3141 return rc; 3142 3143 /* Not an attribute we recognize, so just check the 3144 ordinary setattr permission. */ 3145 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3146 } 3147 3148 /* No one is allowed to remove a SELinux security label. 3149 You can change the label, but all data must be labeled. */ 3150 return -EACCES; 3151 } 3152 3153 /* 3154 * Copy the inode security context value to the user. 3155 * 3156 * Permission check is handled by selinux_inode_getxattr hook. 3157 */ 3158 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3159 { 3160 u32 size; 3161 int error; 3162 char *context = NULL; 3163 struct inode_security_struct *isec; 3164 3165 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3166 return -EOPNOTSUPP; 3167 3168 /* 3169 * If the caller has CAP_MAC_ADMIN, then get the raw context 3170 * value even if it is not defined by current policy; otherwise, 3171 * use the in-core value under current policy. 3172 * Use the non-auditing forms of the permission checks since 3173 * getxattr may be called by unprivileged processes commonly 3174 * and lack of permission just means that we fall back to the 3175 * in-core context value, not a denial. 3176 */ 3177 isec = inode_security(inode); 3178 if (has_cap_mac_admin(false)) 3179 error = security_sid_to_context_force(&selinux_state, 3180 isec->sid, &context, 3181 &size); 3182 else 3183 error = security_sid_to_context(&selinux_state, isec->sid, 3184 &context, &size); 3185 if (error) 3186 return error; 3187 error = size; 3188 if (alloc) { 3189 *buffer = context; 3190 goto out_nofree; 3191 } 3192 kfree(context); 3193 out_nofree: 3194 return error; 3195 } 3196 3197 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3198 const void *value, size_t size, int flags) 3199 { 3200 struct inode_security_struct *isec = inode_security_novalidate(inode); 3201 u32 newsid; 3202 int rc; 3203 3204 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3205 return -EOPNOTSUPP; 3206 3207 if (!value || !size) 3208 return -EACCES; 3209 3210 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3211 GFP_KERNEL); 3212 if (rc) 3213 return rc; 3214 3215 spin_lock(&isec->lock); 3216 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3217 isec->sid = newsid; 3218 isec->initialized = LABEL_INITIALIZED; 3219 spin_unlock(&isec->lock); 3220 return 0; 3221 } 3222 3223 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3224 { 3225 const int len = sizeof(XATTR_NAME_SELINUX); 3226 if (buffer && len <= buffer_size) 3227 memcpy(buffer, XATTR_NAME_SELINUX, len); 3228 return len; 3229 } 3230 3231 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3232 { 3233 struct inode_security_struct *isec = inode_security_novalidate(inode); 3234 *secid = isec->sid; 3235 } 3236 3237 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3238 { 3239 u32 sid; 3240 struct task_security_struct *tsec; 3241 struct cred *new_creds = *new; 3242 3243 if (new_creds == NULL) { 3244 new_creds = prepare_creds(); 3245 if (!new_creds) 3246 return -ENOMEM; 3247 } 3248 3249 tsec = selinux_cred(new_creds); 3250 /* Get label from overlay inode and set it in create_sid */ 3251 selinux_inode_getsecid(d_inode(src), &sid); 3252 tsec->create_sid = sid; 3253 *new = new_creds; 3254 return 0; 3255 } 3256 3257 static int selinux_inode_copy_up_xattr(const char *name) 3258 { 3259 /* The copy_up hook above sets the initial context on an inode, but we 3260 * don't then want to overwrite it by blindly copying all the lower 3261 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3262 */ 3263 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3264 return 1; /* Discard */ 3265 /* 3266 * Any other attribute apart from SELINUX is not claimed, supported 3267 * by selinux. 3268 */ 3269 return -EOPNOTSUPP; 3270 } 3271 3272 /* file security operations */ 3273 3274 static int selinux_revalidate_file_permission(struct file *file, int mask) 3275 { 3276 const struct cred *cred = current_cred(); 3277 struct inode *inode = file_inode(file); 3278 3279 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3280 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3281 mask |= MAY_APPEND; 3282 3283 return file_has_perm(cred, file, 3284 file_mask_to_av(inode->i_mode, mask)); 3285 } 3286 3287 static int selinux_file_permission(struct file *file, int mask) 3288 { 3289 struct inode *inode = file_inode(file); 3290 struct file_security_struct *fsec = selinux_file(file); 3291 struct inode_security_struct *isec; 3292 u32 sid = current_sid(); 3293 3294 if (!mask) 3295 /* No permission to check. Existence test. */ 3296 return 0; 3297 3298 isec = inode_security(inode); 3299 if (sid == fsec->sid && fsec->isid == isec->sid && 3300 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3301 /* No change since file_open check. */ 3302 return 0; 3303 3304 return selinux_revalidate_file_permission(file, mask); 3305 } 3306 3307 static int selinux_file_alloc_security(struct file *file) 3308 { 3309 return file_alloc_security(file); 3310 } 3311 3312 /* 3313 * Check whether a task has the ioctl permission and cmd 3314 * operation to an inode. 3315 */ 3316 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3317 u32 requested, u16 cmd) 3318 { 3319 struct common_audit_data ad; 3320 struct file_security_struct *fsec = selinux_file(file); 3321 struct inode *inode = file_inode(file); 3322 struct inode_security_struct *isec; 3323 struct lsm_ioctlop_audit ioctl; 3324 u32 ssid = cred_sid(cred); 3325 int rc; 3326 u8 driver = cmd >> 8; 3327 u8 xperm = cmd & 0xff; 3328 3329 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3330 ad.u.op = &ioctl; 3331 ad.u.op->cmd = cmd; 3332 ad.u.op->path = file->f_path; 3333 3334 if (ssid != fsec->sid) { 3335 rc = avc_has_perm(&selinux_state, 3336 ssid, fsec->sid, 3337 SECCLASS_FD, 3338 FD__USE, 3339 &ad); 3340 if (rc) 3341 goto out; 3342 } 3343 3344 if (unlikely(IS_PRIVATE(inode))) 3345 return 0; 3346 3347 isec = inode_security(inode); 3348 rc = avc_has_extended_perms(&selinux_state, 3349 ssid, isec->sid, isec->sclass, 3350 requested, driver, xperm, &ad); 3351 out: 3352 return rc; 3353 } 3354 3355 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3356 unsigned long arg) 3357 { 3358 const struct cred *cred = current_cred(); 3359 int error = 0; 3360 3361 switch (cmd) { 3362 case FIONREAD: 3363 /* fall through */ 3364 case FIBMAP: 3365 /* fall through */ 3366 case FIGETBSZ: 3367 /* fall through */ 3368 case FS_IOC_GETFLAGS: 3369 /* fall through */ 3370 case FS_IOC_GETVERSION: 3371 error = file_has_perm(cred, file, FILE__GETATTR); 3372 break; 3373 3374 case FS_IOC_SETFLAGS: 3375 /* fall through */ 3376 case FS_IOC_SETVERSION: 3377 error = file_has_perm(cred, file, FILE__SETATTR); 3378 break; 3379 3380 /* sys_ioctl() checks */ 3381 case FIONBIO: 3382 /* fall through */ 3383 case FIOASYNC: 3384 error = file_has_perm(cred, file, 0); 3385 break; 3386 3387 case KDSKBENT: 3388 case KDSKBSENT: 3389 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3390 CAP_OPT_NONE, true); 3391 break; 3392 3393 /* default case assumes that the command will go 3394 * to the file's ioctl() function. 3395 */ 3396 default: 3397 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3398 } 3399 return error; 3400 } 3401 3402 static int default_noexec; 3403 3404 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3405 { 3406 const struct cred *cred = current_cred(); 3407 u32 sid = cred_sid(cred); 3408 int rc = 0; 3409 3410 if (default_noexec && 3411 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3412 (!shared && (prot & PROT_WRITE)))) { 3413 /* 3414 * We are making executable an anonymous mapping or a 3415 * private file mapping that will also be writable. 3416 * This has an additional check. 3417 */ 3418 rc = avc_has_perm(&selinux_state, 3419 sid, sid, SECCLASS_PROCESS, 3420 PROCESS__EXECMEM, NULL); 3421 if (rc) 3422 goto error; 3423 } 3424 3425 if (file) { 3426 /* read access is always possible with a mapping */ 3427 u32 av = FILE__READ; 3428 3429 /* write access only matters if the mapping is shared */ 3430 if (shared && (prot & PROT_WRITE)) 3431 av |= FILE__WRITE; 3432 3433 if (prot & PROT_EXEC) 3434 av |= FILE__EXECUTE; 3435 3436 return file_has_perm(cred, file, av); 3437 } 3438 3439 error: 3440 return rc; 3441 } 3442 3443 static int selinux_mmap_addr(unsigned long addr) 3444 { 3445 int rc = 0; 3446 3447 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3448 u32 sid = current_sid(); 3449 rc = avc_has_perm(&selinux_state, 3450 sid, sid, SECCLASS_MEMPROTECT, 3451 MEMPROTECT__MMAP_ZERO, NULL); 3452 } 3453 3454 return rc; 3455 } 3456 3457 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3458 unsigned long prot, unsigned long flags) 3459 { 3460 struct common_audit_data ad; 3461 int rc; 3462 3463 if (file) { 3464 ad.type = LSM_AUDIT_DATA_FILE; 3465 ad.u.file = file; 3466 rc = inode_has_perm(current_cred(), file_inode(file), 3467 FILE__MAP, &ad); 3468 if (rc) 3469 return rc; 3470 } 3471 3472 if (selinux_state.checkreqprot) 3473 prot = reqprot; 3474 3475 return file_map_prot_check(file, prot, 3476 (flags & MAP_TYPE) == MAP_SHARED); 3477 } 3478 3479 static int selinux_file_mprotect(struct vm_area_struct *vma, 3480 unsigned long reqprot, 3481 unsigned long prot) 3482 { 3483 const struct cred *cred = current_cred(); 3484 u32 sid = cred_sid(cred); 3485 3486 if (selinux_state.checkreqprot) 3487 prot = reqprot; 3488 3489 if (default_noexec && 3490 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3491 int rc = 0; 3492 if (vma->vm_start >= vma->vm_mm->start_brk && 3493 vma->vm_end <= vma->vm_mm->brk) { 3494 rc = avc_has_perm(&selinux_state, 3495 sid, sid, SECCLASS_PROCESS, 3496 PROCESS__EXECHEAP, NULL); 3497 } else if (!vma->vm_file && 3498 ((vma->vm_start <= vma->vm_mm->start_stack && 3499 vma->vm_end >= vma->vm_mm->start_stack) || 3500 vma_is_stack_for_current(vma))) { 3501 rc = avc_has_perm(&selinux_state, 3502 sid, sid, SECCLASS_PROCESS, 3503 PROCESS__EXECSTACK, NULL); 3504 } else if (vma->vm_file && vma->anon_vma) { 3505 /* 3506 * We are making executable a file mapping that has 3507 * had some COW done. Since pages might have been 3508 * written, check ability to execute the possibly 3509 * modified content. This typically should only 3510 * occur for text relocations. 3511 */ 3512 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3513 } 3514 if (rc) 3515 return rc; 3516 } 3517 3518 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3519 } 3520 3521 static int selinux_file_lock(struct file *file, unsigned int cmd) 3522 { 3523 const struct cred *cred = current_cred(); 3524 3525 return file_has_perm(cred, file, FILE__LOCK); 3526 } 3527 3528 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3529 unsigned long arg) 3530 { 3531 const struct cred *cred = current_cred(); 3532 int err = 0; 3533 3534 switch (cmd) { 3535 case F_SETFL: 3536 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3537 err = file_has_perm(cred, file, FILE__WRITE); 3538 break; 3539 } 3540 /* fall through */ 3541 case F_SETOWN: 3542 case F_SETSIG: 3543 case F_GETFL: 3544 case F_GETOWN: 3545 case F_GETSIG: 3546 case F_GETOWNER_UIDS: 3547 /* Just check FD__USE permission */ 3548 err = file_has_perm(cred, file, 0); 3549 break; 3550 case F_GETLK: 3551 case F_SETLK: 3552 case F_SETLKW: 3553 case F_OFD_GETLK: 3554 case F_OFD_SETLK: 3555 case F_OFD_SETLKW: 3556 #if BITS_PER_LONG == 32 3557 case F_GETLK64: 3558 case F_SETLK64: 3559 case F_SETLKW64: 3560 #endif 3561 err = file_has_perm(cred, file, FILE__LOCK); 3562 break; 3563 } 3564 3565 return err; 3566 } 3567 3568 static void selinux_file_set_fowner(struct file *file) 3569 { 3570 struct file_security_struct *fsec; 3571 3572 fsec = selinux_file(file); 3573 fsec->fown_sid = current_sid(); 3574 } 3575 3576 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3577 struct fown_struct *fown, int signum) 3578 { 3579 struct file *file; 3580 u32 sid = task_sid(tsk); 3581 u32 perm; 3582 struct file_security_struct *fsec; 3583 3584 /* struct fown_struct is never outside the context of a struct file */ 3585 file = container_of(fown, struct file, f_owner); 3586 3587 fsec = selinux_file(file); 3588 3589 if (!signum) 3590 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3591 else 3592 perm = signal_to_av(signum); 3593 3594 return avc_has_perm(&selinux_state, 3595 fsec->fown_sid, sid, 3596 SECCLASS_PROCESS, perm, NULL); 3597 } 3598 3599 static int selinux_file_receive(struct file *file) 3600 { 3601 const struct cred *cred = current_cred(); 3602 3603 return file_has_perm(cred, file, file_to_av(file)); 3604 } 3605 3606 static int selinux_file_open(struct file *file) 3607 { 3608 struct file_security_struct *fsec; 3609 struct inode_security_struct *isec; 3610 3611 fsec = selinux_file(file); 3612 isec = inode_security(file_inode(file)); 3613 /* 3614 * Save inode label and policy sequence number 3615 * at open-time so that selinux_file_permission 3616 * can determine whether revalidation is necessary. 3617 * Task label is already saved in the file security 3618 * struct as its SID. 3619 */ 3620 fsec->isid = isec->sid; 3621 fsec->pseqno = avc_policy_seqno(&selinux_state); 3622 /* 3623 * Since the inode label or policy seqno may have changed 3624 * between the selinux_inode_permission check and the saving 3625 * of state above, recheck that access is still permitted. 3626 * Otherwise, access might never be revalidated against the 3627 * new inode label or new policy. 3628 * This check is not redundant - do not remove. 3629 */ 3630 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 3631 } 3632 3633 /* task security operations */ 3634 3635 static int selinux_task_alloc(struct task_struct *task, 3636 unsigned long clone_flags) 3637 { 3638 u32 sid = current_sid(); 3639 3640 return avc_has_perm(&selinux_state, 3641 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 3642 } 3643 3644 /* 3645 * prepare a new set of credentials for modification 3646 */ 3647 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3648 gfp_t gfp) 3649 { 3650 const struct task_security_struct *old_tsec = selinux_cred(old); 3651 struct task_security_struct *tsec = selinux_cred(new); 3652 3653 *tsec = *old_tsec; 3654 return 0; 3655 } 3656 3657 /* 3658 * transfer the SELinux data to a blank set of creds 3659 */ 3660 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3661 { 3662 const struct task_security_struct *old_tsec = selinux_cred(old); 3663 struct task_security_struct *tsec = selinux_cred(new); 3664 3665 *tsec = *old_tsec; 3666 } 3667 3668 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 3669 { 3670 *secid = cred_sid(c); 3671 } 3672 3673 /* 3674 * set the security data for a kernel service 3675 * - all the creation contexts are set to unlabelled 3676 */ 3677 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3678 { 3679 struct task_security_struct *tsec = selinux_cred(new); 3680 u32 sid = current_sid(); 3681 int ret; 3682 3683 ret = avc_has_perm(&selinux_state, 3684 sid, secid, 3685 SECCLASS_KERNEL_SERVICE, 3686 KERNEL_SERVICE__USE_AS_OVERRIDE, 3687 NULL); 3688 if (ret == 0) { 3689 tsec->sid = secid; 3690 tsec->create_sid = 0; 3691 tsec->keycreate_sid = 0; 3692 tsec->sockcreate_sid = 0; 3693 } 3694 return ret; 3695 } 3696 3697 /* 3698 * set the file creation context in a security record to the same as the 3699 * objective context of the specified inode 3700 */ 3701 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3702 { 3703 struct inode_security_struct *isec = inode_security(inode); 3704 struct task_security_struct *tsec = selinux_cred(new); 3705 u32 sid = current_sid(); 3706 int ret; 3707 3708 ret = avc_has_perm(&selinux_state, 3709 sid, isec->sid, 3710 SECCLASS_KERNEL_SERVICE, 3711 KERNEL_SERVICE__CREATE_FILES_AS, 3712 NULL); 3713 3714 if (ret == 0) 3715 tsec->create_sid = isec->sid; 3716 return ret; 3717 } 3718 3719 static int selinux_kernel_module_request(char *kmod_name) 3720 { 3721 struct common_audit_data ad; 3722 3723 ad.type = LSM_AUDIT_DATA_KMOD; 3724 ad.u.kmod_name = kmod_name; 3725 3726 return avc_has_perm(&selinux_state, 3727 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 3728 SYSTEM__MODULE_REQUEST, &ad); 3729 } 3730 3731 static int selinux_kernel_module_from_file(struct file *file) 3732 { 3733 struct common_audit_data ad; 3734 struct inode_security_struct *isec; 3735 struct file_security_struct *fsec; 3736 u32 sid = current_sid(); 3737 int rc; 3738 3739 /* init_module */ 3740 if (file == NULL) 3741 return avc_has_perm(&selinux_state, 3742 sid, sid, SECCLASS_SYSTEM, 3743 SYSTEM__MODULE_LOAD, NULL); 3744 3745 /* finit_module */ 3746 3747 ad.type = LSM_AUDIT_DATA_FILE; 3748 ad.u.file = file; 3749 3750 fsec = selinux_file(file); 3751 if (sid != fsec->sid) { 3752 rc = avc_has_perm(&selinux_state, 3753 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3754 if (rc) 3755 return rc; 3756 } 3757 3758 isec = inode_security(file_inode(file)); 3759 return avc_has_perm(&selinux_state, 3760 sid, isec->sid, SECCLASS_SYSTEM, 3761 SYSTEM__MODULE_LOAD, &ad); 3762 } 3763 3764 static int selinux_kernel_read_file(struct file *file, 3765 enum kernel_read_file_id id) 3766 { 3767 int rc = 0; 3768 3769 switch (id) { 3770 case READING_MODULE: 3771 rc = selinux_kernel_module_from_file(file); 3772 break; 3773 default: 3774 break; 3775 } 3776 3777 return rc; 3778 } 3779 3780 static int selinux_kernel_load_data(enum kernel_load_data_id id) 3781 { 3782 int rc = 0; 3783 3784 switch (id) { 3785 case LOADING_MODULE: 3786 rc = selinux_kernel_module_from_file(NULL); 3787 default: 3788 break; 3789 } 3790 3791 return rc; 3792 } 3793 3794 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3795 { 3796 return avc_has_perm(&selinux_state, 3797 current_sid(), task_sid(p), SECCLASS_PROCESS, 3798 PROCESS__SETPGID, NULL); 3799 } 3800 3801 static int selinux_task_getpgid(struct task_struct *p) 3802 { 3803 return avc_has_perm(&selinux_state, 3804 current_sid(), task_sid(p), SECCLASS_PROCESS, 3805 PROCESS__GETPGID, NULL); 3806 } 3807 3808 static int selinux_task_getsid(struct task_struct *p) 3809 { 3810 return avc_has_perm(&selinux_state, 3811 current_sid(), task_sid(p), SECCLASS_PROCESS, 3812 PROCESS__GETSESSION, NULL); 3813 } 3814 3815 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3816 { 3817 *secid = task_sid(p); 3818 } 3819 3820 static int selinux_task_setnice(struct task_struct *p, int nice) 3821 { 3822 return avc_has_perm(&selinux_state, 3823 current_sid(), task_sid(p), SECCLASS_PROCESS, 3824 PROCESS__SETSCHED, NULL); 3825 } 3826 3827 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3828 { 3829 return avc_has_perm(&selinux_state, 3830 current_sid(), task_sid(p), SECCLASS_PROCESS, 3831 PROCESS__SETSCHED, NULL); 3832 } 3833 3834 static int selinux_task_getioprio(struct task_struct *p) 3835 { 3836 return avc_has_perm(&selinux_state, 3837 current_sid(), task_sid(p), SECCLASS_PROCESS, 3838 PROCESS__GETSCHED, NULL); 3839 } 3840 3841 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 3842 unsigned int flags) 3843 { 3844 u32 av = 0; 3845 3846 if (!flags) 3847 return 0; 3848 if (flags & LSM_PRLIMIT_WRITE) 3849 av |= PROCESS__SETRLIMIT; 3850 if (flags & LSM_PRLIMIT_READ) 3851 av |= PROCESS__GETRLIMIT; 3852 return avc_has_perm(&selinux_state, 3853 cred_sid(cred), cred_sid(tcred), 3854 SECCLASS_PROCESS, av, NULL); 3855 } 3856 3857 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3858 struct rlimit *new_rlim) 3859 { 3860 struct rlimit *old_rlim = p->signal->rlim + resource; 3861 3862 /* Control the ability to change the hard limit (whether 3863 lowering or raising it), so that the hard limit can 3864 later be used as a safe reset point for the soft limit 3865 upon context transitions. See selinux_bprm_committing_creds. */ 3866 if (old_rlim->rlim_max != new_rlim->rlim_max) 3867 return avc_has_perm(&selinux_state, 3868 current_sid(), task_sid(p), 3869 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 3870 3871 return 0; 3872 } 3873 3874 static int selinux_task_setscheduler(struct task_struct *p) 3875 { 3876 return avc_has_perm(&selinux_state, 3877 current_sid(), task_sid(p), SECCLASS_PROCESS, 3878 PROCESS__SETSCHED, NULL); 3879 } 3880 3881 static int selinux_task_getscheduler(struct task_struct *p) 3882 { 3883 return avc_has_perm(&selinux_state, 3884 current_sid(), task_sid(p), SECCLASS_PROCESS, 3885 PROCESS__GETSCHED, NULL); 3886 } 3887 3888 static int selinux_task_movememory(struct task_struct *p) 3889 { 3890 return avc_has_perm(&selinux_state, 3891 current_sid(), task_sid(p), SECCLASS_PROCESS, 3892 PROCESS__SETSCHED, NULL); 3893 } 3894 3895 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 3896 int sig, const struct cred *cred) 3897 { 3898 u32 secid; 3899 u32 perm; 3900 3901 if (!sig) 3902 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3903 else 3904 perm = signal_to_av(sig); 3905 if (!cred) 3906 secid = current_sid(); 3907 else 3908 secid = cred_sid(cred); 3909 return avc_has_perm(&selinux_state, 3910 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); 3911 } 3912 3913 static void selinux_task_to_inode(struct task_struct *p, 3914 struct inode *inode) 3915 { 3916 struct inode_security_struct *isec = selinux_inode(inode); 3917 u32 sid = task_sid(p); 3918 3919 spin_lock(&isec->lock); 3920 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3921 isec->sid = sid; 3922 isec->initialized = LABEL_INITIALIZED; 3923 spin_unlock(&isec->lock); 3924 } 3925 3926 /* Returns error only if unable to parse addresses */ 3927 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3928 struct common_audit_data *ad, u8 *proto) 3929 { 3930 int offset, ihlen, ret = -EINVAL; 3931 struct iphdr _iph, *ih; 3932 3933 offset = skb_network_offset(skb); 3934 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3935 if (ih == NULL) 3936 goto out; 3937 3938 ihlen = ih->ihl * 4; 3939 if (ihlen < sizeof(_iph)) 3940 goto out; 3941 3942 ad->u.net->v4info.saddr = ih->saddr; 3943 ad->u.net->v4info.daddr = ih->daddr; 3944 ret = 0; 3945 3946 if (proto) 3947 *proto = ih->protocol; 3948 3949 switch (ih->protocol) { 3950 case IPPROTO_TCP: { 3951 struct tcphdr _tcph, *th; 3952 3953 if (ntohs(ih->frag_off) & IP_OFFSET) 3954 break; 3955 3956 offset += ihlen; 3957 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3958 if (th == NULL) 3959 break; 3960 3961 ad->u.net->sport = th->source; 3962 ad->u.net->dport = th->dest; 3963 break; 3964 } 3965 3966 case IPPROTO_UDP: { 3967 struct udphdr _udph, *uh; 3968 3969 if (ntohs(ih->frag_off) & IP_OFFSET) 3970 break; 3971 3972 offset += ihlen; 3973 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3974 if (uh == NULL) 3975 break; 3976 3977 ad->u.net->sport = uh->source; 3978 ad->u.net->dport = uh->dest; 3979 break; 3980 } 3981 3982 case IPPROTO_DCCP: { 3983 struct dccp_hdr _dccph, *dh; 3984 3985 if (ntohs(ih->frag_off) & IP_OFFSET) 3986 break; 3987 3988 offset += ihlen; 3989 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3990 if (dh == NULL) 3991 break; 3992 3993 ad->u.net->sport = dh->dccph_sport; 3994 ad->u.net->dport = dh->dccph_dport; 3995 break; 3996 } 3997 3998 #if IS_ENABLED(CONFIG_IP_SCTP) 3999 case IPPROTO_SCTP: { 4000 struct sctphdr _sctph, *sh; 4001 4002 if (ntohs(ih->frag_off) & IP_OFFSET) 4003 break; 4004 4005 offset += ihlen; 4006 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4007 if (sh == NULL) 4008 break; 4009 4010 ad->u.net->sport = sh->source; 4011 ad->u.net->dport = sh->dest; 4012 break; 4013 } 4014 #endif 4015 default: 4016 break; 4017 } 4018 out: 4019 return ret; 4020 } 4021 4022 #if IS_ENABLED(CONFIG_IPV6) 4023 4024 /* Returns error only if unable to parse addresses */ 4025 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4026 struct common_audit_data *ad, u8 *proto) 4027 { 4028 u8 nexthdr; 4029 int ret = -EINVAL, offset; 4030 struct ipv6hdr _ipv6h, *ip6; 4031 __be16 frag_off; 4032 4033 offset = skb_network_offset(skb); 4034 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4035 if (ip6 == NULL) 4036 goto out; 4037 4038 ad->u.net->v6info.saddr = ip6->saddr; 4039 ad->u.net->v6info.daddr = ip6->daddr; 4040 ret = 0; 4041 4042 nexthdr = ip6->nexthdr; 4043 offset += sizeof(_ipv6h); 4044 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4045 if (offset < 0) 4046 goto out; 4047 4048 if (proto) 4049 *proto = nexthdr; 4050 4051 switch (nexthdr) { 4052 case IPPROTO_TCP: { 4053 struct tcphdr _tcph, *th; 4054 4055 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4056 if (th == NULL) 4057 break; 4058 4059 ad->u.net->sport = th->source; 4060 ad->u.net->dport = th->dest; 4061 break; 4062 } 4063 4064 case IPPROTO_UDP: { 4065 struct udphdr _udph, *uh; 4066 4067 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4068 if (uh == NULL) 4069 break; 4070 4071 ad->u.net->sport = uh->source; 4072 ad->u.net->dport = uh->dest; 4073 break; 4074 } 4075 4076 case IPPROTO_DCCP: { 4077 struct dccp_hdr _dccph, *dh; 4078 4079 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4080 if (dh == NULL) 4081 break; 4082 4083 ad->u.net->sport = dh->dccph_sport; 4084 ad->u.net->dport = dh->dccph_dport; 4085 break; 4086 } 4087 4088 #if IS_ENABLED(CONFIG_IP_SCTP) 4089 case IPPROTO_SCTP: { 4090 struct sctphdr _sctph, *sh; 4091 4092 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4093 if (sh == NULL) 4094 break; 4095 4096 ad->u.net->sport = sh->source; 4097 ad->u.net->dport = sh->dest; 4098 break; 4099 } 4100 #endif 4101 /* includes fragments */ 4102 default: 4103 break; 4104 } 4105 out: 4106 return ret; 4107 } 4108 4109 #endif /* IPV6 */ 4110 4111 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4112 char **_addrp, int src, u8 *proto) 4113 { 4114 char *addrp; 4115 int ret; 4116 4117 switch (ad->u.net->family) { 4118 case PF_INET: 4119 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4120 if (ret) 4121 goto parse_error; 4122 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4123 &ad->u.net->v4info.daddr); 4124 goto okay; 4125 4126 #if IS_ENABLED(CONFIG_IPV6) 4127 case PF_INET6: 4128 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4129 if (ret) 4130 goto parse_error; 4131 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4132 &ad->u.net->v6info.daddr); 4133 goto okay; 4134 #endif /* IPV6 */ 4135 default: 4136 addrp = NULL; 4137 goto okay; 4138 } 4139 4140 parse_error: 4141 pr_warn( 4142 "SELinux: failure in selinux_parse_skb()," 4143 " unable to parse packet\n"); 4144 return ret; 4145 4146 okay: 4147 if (_addrp) 4148 *_addrp = addrp; 4149 return 0; 4150 } 4151 4152 /** 4153 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4154 * @skb: the packet 4155 * @family: protocol family 4156 * @sid: the packet's peer label SID 4157 * 4158 * Description: 4159 * Check the various different forms of network peer labeling and determine 4160 * the peer label/SID for the packet; most of the magic actually occurs in 4161 * the security server function security_net_peersid_cmp(). The function 4162 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4163 * or -EACCES if @sid is invalid due to inconsistencies with the different 4164 * peer labels. 4165 * 4166 */ 4167 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4168 { 4169 int err; 4170 u32 xfrm_sid; 4171 u32 nlbl_sid; 4172 u32 nlbl_type; 4173 4174 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4175 if (unlikely(err)) 4176 return -EACCES; 4177 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4178 if (unlikely(err)) 4179 return -EACCES; 4180 4181 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4182 nlbl_type, xfrm_sid, sid); 4183 if (unlikely(err)) { 4184 pr_warn( 4185 "SELinux: failure in selinux_skb_peerlbl_sid()," 4186 " unable to determine packet's peer label\n"); 4187 return -EACCES; 4188 } 4189 4190 return 0; 4191 } 4192 4193 /** 4194 * selinux_conn_sid - Determine the child socket label for a connection 4195 * @sk_sid: the parent socket's SID 4196 * @skb_sid: the packet's SID 4197 * @conn_sid: the resulting connection SID 4198 * 4199 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4200 * combined with the MLS information from @skb_sid in order to create 4201 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4202 * of @sk_sid. Returns zero on success, negative values on failure. 4203 * 4204 */ 4205 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4206 { 4207 int err = 0; 4208 4209 if (skb_sid != SECSID_NULL) 4210 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4211 conn_sid); 4212 else 4213 *conn_sid = sk_sid; 4214 4215 return err; 4216 } 4217 4218 /* socket security operations */ 4219 4220 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4221 u16 secclass, u32 *socksid) 4222 { 4223 if (tsec->sockcreate_sid > SECSID_NULL) { 4224 *socksid = tsec->sockcreate_sid; 4225 return 0; 4226 } 4227 4228 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4229 secclass, NULL, socksid); 4230 } 4231 4232 static int sock_has_perm(struct sock *sk, u32 perms) 4233 { 4234 struct sk_security_struct *sksec = sk->sk_security; 4235 struct common_audit_data ad; 4236 struct lsm_network_audit net = {0,}; 4237 4238 if (sksec->sid == SECINITSID_KERNEL) 4239 return 0; 4240 4241 ad.type = LSM_AUDIT_DATA_NET; 4242 ad.u.net = &net; 4243 ad.u.net->sk = sk; 4244 4245 return avc_has_perm(&selinux_state, 4246 current_sid(), sksec->sid, sksec->sclass, perms, 4247 &ad); 4248 } 4249 4250 static int selinux_socket_create(int family, int type, 4251 int protocol, int kern) 4252 { 4253 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4254 u32 newsid; 4255 u16 secclass; 4256 int rc; 4257 4258 if (kern) 4259 return 0; 4260 4261 secclass = socket_type_to_security_class(family, type, protocol); 4262 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4263 if (rc) 4264 return rc; 4265 4266 return avc_has_perm(&selinux_state, 4267 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4268 } 4269 4270 static int selinux_socket_post_create(struct socket *sock, int family, 4271 int type, int protocol, int kern) 4272 { 4273 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4274 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4275 struct sk_security_struct *sksec; 4276 u16 sclass = socket_type_to_security_class(family, type, protocol); 4277 u32 sid = SECINITSID_KERNEL; 4278 int err = 0; 4279 4280 if (!kern) { 4281 err = socket_sockcreate_sid(tsec, sclass, &sid); 4282 if (err) 4283 return err; 4284 } 4285 4286 isec->sclass = sclass; 4287 isec->sid = sid; 4288 isec->initialized = LABEL_INITIALIZED; 4289 4290 if (sock->sk) { 4291 sksec = sock->sk->sk_security; 4292 sksec->sclass = sclass; 4293 sksec->sid = sid; 4294 /* Allows detection of the first association on this socket */ 4295 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4296 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4297 4298 err = selinux_netlbl_socket_post_create(sock->sk, family); 4299 } 4300 4301 return err; 4302 } 4303 4304 static int selinux_socket_socketpair(struct socket *socka, 4305 struct socket *sockb) 4306 { 4307 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4308 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4309 4310 sksec_a->peer_sid = sksec_b->sid; 4311 sksec_b->peer_sid = sksec_a->sid; 4312 4313 return 0; 4314 } 4315 4316 /* Range of port numbers used to automatically bind. 4317 Need to determine whether we should perform a name_bind 4318 permission check between the socket and the port number. */ 4319 4320 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4321 { 4322 struct sock *sk = sock->sk; 4323 struct sk_security_struct *sksec = sk->sk_security; 4324 u16 family; 4325 int err; 4326 4327 err = sock_has_perm(sk, SOCKET__BIND); 4328 if (err) 4329 goto out; 4330 4331 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4332 family = sk->sk_family; 4333 if (family == PF_INET || family == PF_INET6) { 4334 char *addrp; 4335 struct common_audit_data ad; 4336 struct lsm_network_audit net = {0,}; 4337 struct sockaddr_in *addr4 = NULL; 4338 struct sockaddr_in6 *addr6 = NULL; 4339 u16 family_sa = address->sa_family; 4340 unsigned short snum; 4341 u32 sid, node_perm; 4342 4343 /* 4344 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4345 * that validates multiple binding addresses. Because of this 4346 * need to check address->sa_family as it is possible to have 4347 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4348 */ 4349 switch (family_sa) { 4350 case AF_UNSPEC: 4351 case AF_INET: 4352 if (addrlen < sizeof(struct sockaddr_in)) 4353 return -EINVAL; 4354 addr4 = (struct sockaddr_in *)address; 4355 if (family_sa == AF_UNSPEC) { 4356 /* see __inet_bind(), we only want to allow 4357 * AF_UNSPEC if the address is INADDR_ANY 4358 */ 4359 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4360 goto err_af; 4361 family_sa = AF_INET; 4362 } 4363 snum = ntohs(addr4->sin_port); 4364 addrp = (char *)&addr4->sin_addr.s_addr; 4365 break; 4366 case AF_INET6: 4367 if (addrlen < SIN6_LEN_RFC2133) 4368 return -EINVAL; 4369 addr6 = (struct sockaddr_in6 *)address; 4370 snum = ntohs(addr6->sin6_port); 4371 addrp = (char *)&addr6->sin6_addr.s6_addr; 4372 break; 4373 default: 4374 goto err_af; 4375 } 4376 4377 ad.type = LSM_AUDIT_DATA_NET; 4378 ad.u.net = &net; 4379 ad.u.net->sport = htons(snum); 4380 ad.u.net->family = family_sa; 4381 4382 if (snum) { 4383 int low, high; 4384 4385 inet_get_local_port_range(sock_net(sk), &low, &high); 4386 4387 if (snum < max(inet_prot_sock(sock_net(sk)), low) || 4388 snum > high) { 4389 err = sel_netport_sid(sk->sk_protocol, 4390 snum, &sid); 4391 if (err) 4392 goto out; 4393 err = avc_has_perm(&selinux_state, 4394 sksec->sid, sid, 4395 sksec->sclass, 4396 SOCKET__NAME_BIND, &ad); 4397 if (err) 4398 goto out; 4399 } 4400 } 4401 4402 switch (sksec->sclass) { 4403 case SECCLASS_TCP_SOCKET: 4404 node_perm = TCP_SOCKET__NODE_BIND; 4405 break; 4406 4407 case SECCLASS_UDP_SOCKET: 4408 node_perm = UDP_SOCKET__NODE_BIND; 4409 break; 4410 4411 case SECCLASS_DCCP_SOCKET: 4412 node_perm = DCCP_SOCKET__NODE_BIND; 4413 break; 4414 4415 case SECCLASS_SCTP_SOCKET: 4416 node_perm = SCTP_SOCKET__NODE_BIND; 4417 break; 4418 4419 default: 4420 node_perm = RAWIP_SOCKET__NODE_BIND; 4421 break; 4422 } 4423 4424 err = sel_netnode_sid(addrp, family_sa, &sid); 4425 if (err) 4426 goto out; 4427 4428 if (family_sa == AF_INET) 4429 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4430 else 4431 ad.u.net->v6info.saddr = addr6->sin6_addr; 4432 4433 err = avc_has_perm(&selinux_state, 4434 sksec->sid, sid, 4435 sksec->sclass, node_perm, &ad); 4436 if (err) 4437 goto out; 4438 } 4439 out: 4440 return err; 4441 err_af: 4442 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4443 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4444 return -EINVAL; 4445 return -EAFNOSUPPORT; 4446 } 4447 4448 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4449 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst 4450 */ 4451 static int selinux_socket_connect_helper(struct socket *sock, 4452 struct sockaddr *address, int addrlen) 4453 { 4454 struct sock *sk = sock->sk; 4455 struct sk_security_struct *sksec = sk->sk_security; 4456 int err; 4457 4458 err = sock_has_perm(sk, SOCKET__CONNECT); 4459 if (err) 4460 return err; 4461 4462 /* 4463 * If a TCP, DCCP or SCTP socket, check name_connect permission 4464 * for the port. 4465 */ 4466 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4467 sksec->sclass == SECCLASS_DCCP_SOCKET || 4468 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4469 struct common_audit_data ad; 4470 struct lsm_network_audit net = {0,}; 4471 struct sockaddr_in *addr4 = NULL; 4472 struct sockaddr_in6 *addr6 = NULL; 4473 unsigned short snum; 4474 u32 sid, perm; 4475 4476 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4477 * that validates multiple connect addresses. Because of this 4478 * need to check address->sa_family as it is possible to have 4479 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4480 */ 4481 switch (address->sa_family) { 4482 case AF_INET: 4483 addr4 = (struct sockaddr_in *)address; 4484 if (addrlen < sizeof(struct sockaddr_in)) 4485 return -EINVAL; 4486 snum = ntohs(addr4->sin_port); 4487 break; 4488 case AF_INET6: 4489 addr6 = (struct sockaddr_in6 *)address; 4490 if (addrlen < SIN6_LEN_RFC2133) 4491 return -EINVAL; 4492 snum = ntohs(addr6->sin6_port); 4493 break; 4494 default: 4495 /* Note that SCTP services expect -EINVAL, whereas 4496 * others expect -EAFNOSUPPORT. 4497 */ 4498 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4499 return -EINVAL; 4500 else 4501 return -EAFNOSUPPORT; 4502 } 4503 4504 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4505 if (err) 4506 return err; 4507 4508 switch (sksec->sclass) { 4509 case SECCLASS_TCP_SOCKET: 4510 perm = TCP_SOCKET__NAME_CONNECT; 4511 break; 4512 case SECCLASS_DCCP_SOCKET: 4513 perm = DCCP_SOCKET__NAME_CONNECT; 4514 break; 4515 case SECCLASS_SCTP_SOCKET: 4516 perm = SCTP_SOCKET__NAME_CONNECT; 4517 break; 4518 } 4519 4520 ad.type = LSM_AUDIT_DATA_NET; 4521 ad.u.net = &net; 4522 ad.u.net->dport = htons(snum); 4523 ad.u.net->family = address->sa_family; 4524 err = avc_has_perm(&selinux_state, 4525 sksec->sid, sid, sksec->sclass, perm, &ad); 4526 if (err) 4527 return err; 4528 } 4529 4530 return 0; 4531 } 4532 4533 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4534 static int selinux_socket_connect(struct socket *sock, 4535 struct sockaddr *address, int addrlen) 4536 { 4537 int err; 4538 struct sock *sk = sock->sk; 4539 4540 err = selinux_socket_connect_helper(sock, address, addrlen); 4541 if (err) 4542 return err; 4543 4544 return selinux_netlbl_socket_connect(sk, address); 4545 } 4546 4547 static int selinux_socket_listen(struct socket *sock, int backlog) 4548 { 4549 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4550 } 4551 4552 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4553 { 4554 int err; 4555 struct inode_security_struct *isec; 4556 struct inode_security_struct *newisec; 4557 u16 sclass; 4558 u32 sid; 4559 4560 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4561 if (err) 4562 return err; 4563 4564 isec = inode_security_novalidate(SOCK_INODE(sock)); 4565 spin_lock(&isec->lock); 4566 sclass = isec->sclass; 4567 sid = isec->sid; 4568 spin_unlock(&isec->lock); 4569 4570 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4571 newisec->sclass = sclass; 4572 newisec->sid = sid; 4573 newisec->initialized = LABEL_INITIALIZED; 4574 4575 return 0; 4576 } 4577 4578 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4579 int size) 4580 { 4581 return sock_has_perm(sock->sk, SOCKET__WRITE); 4582 } 4583 4584 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4585 int size, int flags) 4586 { 4587 return sock_has_perm(sock->sk, SOCKET__READ); 4588 } 4589 4590 static int selinux_socket_getsockname(struct socket *sock) 4591 { 4592 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4593 } 4594 4595 static int selinux_socket_getpeername(struct socket *sock) 4596 { 4597 return sock_has_perm(sock->sk, SOCKET__GETATTR); 4598 } 4599 4600 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4601 { 4602 int err; 4603 4604 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 4605 if (err) 4606 return err; 4607 4608 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4609 } 4610 4611 static int selinux_socket_getsockopt(struct socket *sock, int level, 4612 int optname) 4613 { 4614 return sock_has_perm(sock->sk, SOCKET__GETOPT); 4615 } 4616 4617 static int selinux_socket_shutdown(struct socket *sock, int how) 4618 { 4619 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 4620 } 4621 4622 static int selinux_socket_unix_stream_connect(struct sock *sock, 4623 struct sock *other, 4624 struct sock *newsk) 4625 { 4626 struct sk_security_struct *sksec_sock = sock->sk_security; 4627 struct sk_security_struct *sksec_other = other->sk_security; 4628 struct sk_security_struct *sksec_new = newsk->sk_security; 4629 struct common_audit_data ad; 4630 struct lsm_network_audit net = {0,}; 4631 int err; 4632 4633 ad.type = LSM_AUDIT_DATA_NET; 4634 ad.u.net = &net; 4635 ad.u.net->sk = other; 4636 4637 err = avc_has_perm(&selinux_state, 4638 sksec_sock->sid, sksec_other->sid, 4639 sksec_other->sclass, 4640 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4641 if (err) 4642 return err; 4643 4644 /* server child socket */ 4645 sksec_new->peer_sid = sksec_sock->sid; 4646 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 4647 sksec_sock->sid, &sksec_new->sid); 4648 if (err) 4649 return err; 4650 4651 /* connecting socket */ 4652 sksec_sock->peer_sid = sksec_new->sid; 4653 4654 return 0; 4655 } 4656 4657 static int selinux_socket_unix_may_send(struct socket *sock, 4658 struct socket *other) 4659 { 4660 struct sk_security_struct *ssec = sock->sk->sk_security; 4661 struct sk_security_struct *osec = other->sk->sk_security; 4662 struct common_audit_data ad; 4663 struct lsm_network_audit net = {0,}; 4664 4665 ad.type = LSM_AUDIT_DATA_NET; 4666 ad.u.net = &net; 4667 ad.u.net->sk = other->sk; 4668 4669 return avc_has_perm(&selinux_state, 4670 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4671 &ad); 4672 } 4673 4674 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4675 char *addrp, u16 family, u32 peer_sid, 4676 struct common_audit_data *ad) 4677 { 4678 int err; 4679 u32 if_sid; 4680 u32 node_sid; 4681 4682 err = sel_netif_sid(ns, ifindex, &if_sid); 4683 if (err) 4684 return err; 4685 err = avc_has_perm(&selinux_state, 4686 peer_sid, if_sid, 4687 SECCLASS_NETIF, NETIF__INGRESS, ad); 4688 if (err) 4689 return err; 4690 4691 err = sel_netnode_sid(addrp, family, &node_sid); 4692 if (err) 4693 return err; 4694 return avc_has_perm(&selinux_state, 4695 peer_sid, node_sid, 4696 SECCLASS_NODE, NODE__RECVFROM, ad); 4697 } 4698 4699 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4700 u16 family) 4701 { 4702 int err = 0; 4703 struct sk_security_struct *sksec = sk->sk_security; 4704 u32 sk_sid = sksec->sid; 4705 struct common_audit_data ad; 4706 struct lsm_network_audit net = {0,}; 4707 char *addrp; 4708 4709 ad.type = LSM_AUDIT_DATA_NET; 4710 ad.u.net = &net; 4711 ad.u.net->netif = skb->skb_iif; 4712 ad.u.net->family = family; 4713 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4714 if (err) 4715 return err; 4716 4717 if (selinux_secmark_enabled()) { 4718 err = avc_has_perm(&selinux_state, 4719 sk_sid, skb->secmark, SECCLASS_PACKET, 4720 PACKET__RECV, &ad); 4721 if (err) 4722 return err; 4723 } 4724 4725 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4726 if (err) 4727 return err; 4728 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4729 4730 return err; 4731 } 4732 4733 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4734 { 4735 int err; 4736 struct sk_security_struct *sksec = sk->sk_security; 4737 u16 family = sk->sk_family; 4738 u32 sk_sid = sksec->sid; 4739 struct common_audit_data ad; 4740 struct lsm_network_audit net = {0,}; 4741 char *addrp; 4742 u8 secmark_active; 4743 u8 peerlbl_active; 4744 4745 if (family != PF_INET && family != PF_INET6) 4746 return 0; 4747 4748 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4749 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4750 family = PF_INET; 4751 4752 /* If any sort of compatibility mode is enabled then handoff processing 4753 * to the selinux_sock_rcv_skb_compat() function to deal with the 4754 * special handling. We do this in an attempt to keep this function 4755 * as fast and as clean as possible. */ 4756 if (!selinux_policycap_netpeer()) 4757 return selinux_sock_rcv_skb_compat(sk, skb, family); 4758 4759 secmark_active = selinux_secmark_enabled(); 4760 peerlbl_active = selinux_peerlbl_enabled(); 4761 if (!secmark_active && !peerlbl_active) 4762 return 0; 4763 4764 ad.type = LSM_AUDIT_DATA_NET; 4765 ad.u.net = &net; 4766 ad.u.net->netif = skb->skb_iif; 4767 ad.u.net->family = family; 4768 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4769 if (err) 4770 return err; 4771 4772 if (peerlbl_active) { 4773 u32 peer_sid; 4774 4775 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4776 if (err) 4777 return err; 4778 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4779 addrp, family, peer_sid, &ad); 4780 if (err) { 4781 selinux_netlbl_err(skb, family, err, 0); 4782 return err; 4783 } 4784 err = avc_has_perm(&selinux_state, 4785 sk_sid, peer_sid, SECCLASS_PEER, 4786 PEER__RECV, &ad); 4787 if (err) { 4788 selinux_netlbl_err(skb, family, err, 0); 4789 return err; 4790 } 4791 } 4792 4793 if (secmark_active) { 4794 err = avc_has_perm(&selinux_state, 4795 sk_sid, skb->secmark, SECCLASS_PACKET, 4796 PACKET__RECV, &ad); 4797 if (err) 4798 return err; 4799 } 4800 4801 return err; 4802 } 4803 4804 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4805 int __user *optlen, unsigned len) 4806 { 4807 int err = 0; 4808 char *scontext; 4809 u32 scontext_len; 4810 struct sk_security_struct *sksec = sock->sk->sk_security; 4811 u32 peer_sid = SECSID_NULL; 4812 4813 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4814 sksec->sclass == SECCLASS_TCP_SOCKET || 4815 sksec->sclass == SECCLASS_SCTP_SOCKET) 4816 peer_sid = sksec->peer_sid; 4817 if (peer_sid == SECSID_NULL) 4818 return -ENOPROTOOPT; 4819 4820 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 4821 &scontext_len); 4822 if (err) 4823 return err; 4824 4825 if (scontext_len > len) { 4826 err = -ERANGE; 4827 goto out_len; 4828 } 4829 4830 if (copy_to_user(optval, scontext, scontext_len)) 4831 err = -EFAULT; 4832 4833 out_len: 4834 if (put_user(scontext_len, optlen)) 4835 err = -EFAULT; 4836 kfree(scontext); 4837 return err; 4838 } 4839 4840 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4841 { 4842 u32 peer_secid = SECSID_NULL; 4843 u16 family; 4844 struct inode_security_struct *isec; 4845 4846 if (skb && skb->protocol == htons(ETH_P_IP)) 4847 family = PF_INET; 4848 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4849 family = PF_INET6; 4850 else if (sock) 4851 family = sock->sk->sk_family; 4852 else 4853 goto out; 4854 4855 if (sock && family == PF_UNIX) { 4856 isec = inode_security_novalidate(SOCK_INODE(sock)); 4857 peer_secid = isec->sid; 4858 } else if (skb) 4859 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4860 4861 out: 4862 *secid = peer_secid; 4863 if (peer_secid == SECSID_NULL) 4864 return -EINVAL; 4865 return 0; 4866 } 4867 4868 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4869 { 4870 struct sk_security_struct *sksec; 4871 4872 sksec = kzalloc(sizeof(*sksec), priority); 4873 if (!sksec) 4874 return -ENOMEM; 4875 4876 sksec->peer_sid = SECINITSID_UNLABELED; 4877 sksec->sid = SECINITSID_UNLABELED; 4878 sksec->sclass = SECCLASS_SOCKET; 4879 selinux_netlbl_sk_security_reset(sksec); 4880 sk->sk_security = sksec; 4881 4882 return 0; 4883 } 4884 4885 static void selinux_sk_free_security(struct sock *sk) 4886 { 4887 struct sk_security_struct *sksec = sk->sk_security; 4888 4889 sk->sk_security = NULL; 4890 selinux_netlbl_sk_security_free(sksec); 4891 kfree(sksec); 4892 } 4893 4894 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4895 { 4896 struct sk_security_struct *sksec = sk->sk_security; 4897 struct sk_security_struct *newsksec = newsk->sk_security; 4898 4899 newsksec->sid = sksec->sid; 4900 newsksec->peer_sid = sksec->peer_sid; 4901 newsksec->sclass = sksec->sclass; 4902 4903 selinux_netlbl_sk_security_reset(newsksec); 4904 } 4905 4906 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4907 { 4908 if (!sk) 4909 *secid = SECINITSID_ANY_SOCKET; 4910 else { 4911 struct sk_security_struct *sksec = sk->sk_security; 4912 4913 *secid = sksec->sid; 4914 } 4915 } 4916 4917 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4918 { 4919 struct inode_security_struct *isec = 4920 inode_security_novalidate(SOCK_INODE(parent)); 4921 struct sk_security_struct *sksec = sk->sk_security; 4922 4923 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4924 sk->sk_family == PF_UNIX) 4925 isec->sid = sksec->sid; 4926 sksec->sclass = isec->sclass; 4927 } 4928 4929 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 4930 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 4931 * already present). 4932 */ 4933 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 4934 struct sk_buff *skb) 4935 { 4936 struct sk_security_struct *sksec = ep->base.sk->sk_security; 4937 struct common_audit_data ad; 4938 struct lsm_network_audit net = {0,}; 4939 u8 peerlbl_active; 4940 u32 peer_sid = SECINITSID_UNLABELED; 4941 u32 conn_sid; 4942 int err = 0; 4943 4944 if (!selinux_policycap_extsockclass()) 4945 return 0; 4946 4947 peerlbl_active = selinux_peerlbl_enabled(); 4948 4949 if (peerlbl_active) { 4950 /* This will return peer_sid = SECSID_NULL if there are 4951 * no peer labels, see security_net_peersid_resolve(). 4952 */ 4953 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 4954 &peer_sid); 4955 if (err) 4956 return err; 4957 4958 if (peer_sid == SECSID_NULL) 4959 peer_sid = SECINITSID_UNLABELED; 4960 } 4961 4962 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 4963 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 4964 4965 /* Here as first association on socket. As the peer SID 4966 * was allowed by peer recv (and the netif/node checks), 4967 * then it is approved by policy and used as the primary 4968 * peer SID for getpeercon(3). 4969 */ 4970 sksec->peer_sid = peer_sid; 4971 } else if (sksec->peer_sid != peer_sid) { 4972 /* Other association peer SIDs are checked to enforce 4973 * consistency among the peer SIDs. 4974 */ 4975 ad.type = LSM_AUDIT_DATA_NET; 4976 ad.u.net = &net; 4977 ad.u.net->sk = ep->base.sk; 4978 err = avc_has_perm(&selinux_state, 4979 sksec->peer_sid, peer_sid, sksec->sclass, 4980 SCTP_SOCKET__ASSOCIATION, &ad); 4981 if (err) 4982 return err; 4983 } 4984 4985 /* Compute the MLS component for the connection and store 4986 * the information in ep. This will be used by SCTP TCP type 4987 * sockets and peeled off connections as they cause a new 4988 * socket to be generated. selinux_sctp_sk_clone() will then 4989 * plug this into the new socket. 4990 */ 4991 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 4992 if (err) 4993 return err; 4994 4995 ep->secid = conn_sid; 4996 ep->peer_secid = peer_sid; 4997 4998 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 4999 return selinux_netlbl_sctp_assoc_request(ep, skb); 5000 } 5001 5002 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5003 * based on their @optname. 5004 */ 5005 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5006 struct sockaddr *address, 5007 int addrlen) 5008 { 5009 int len, err = 0, walk_size = 0; 5010 void *addr_buf; 5011 struct sockaddr *addr; 5012 struct socket *sock; 5013 5014 if (!selinux_policycap_extsockclass()) 5015 return 0; 5016 5017 /* Process one or more addresses that may be IPv4 or IPv6 */ 5018 sock = sk->sk_socket; 5019 addr_buf = address; 5020 5021 while (walk_size < addrlen) { 5022 if (walk_size + sizeof(sa_family_t) > addrlen) 5023 return -EINVAL; 5024 5025 addr = addr_buf; 5026 switch (addr->sa_family) { 5027 case AF_UNSPEC: 5028 case AF_INET: 5029 len = sizeof(struct sockaddr_in); 5030 break; 5031 case AF_INET6: 5032 len = sizeof(struct sockaddr_in6); 5033 break; 5034 default: 5035 return -EINVAL; 5036 } 5037 5038 err = -EINVAL; 5039 switch (optname) { 5040 /* Bind checks */ 5041 case SCTP_PRIMARY_ADDR: 5042 case SCTP_SET_PEER_PRIMARY_ADDR: 5043 case SCTP_SOCKOPT_BINDX_ADD: 5044 err = selinux_socket_bind(sock, addr, len); 5045 break; 5046 /* Connect checks */ 5047 case SCTP_SOCKOPT_CONNECTX: 5048 case SCTP_PARAM_SET_PRIMARY: 5049 case SCTP_PARAM_ADD_IP: 5050 case SCTP_SENDMSG_CONNECT: 5051 err = selinux_socket_connect_helper(sock, addr, len); 5052 if (err) 5053 return err; 5054 5055 /* As selinux_sctp_bind_connect() is called by the 5056 * SCTP protocol layer, the socket is already locked, 5057 * therefore selinux_netlbl_socket_connect_locked() is 5058 * is called here. The situations handled are: 5059 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5060 * whenever a new IP address is added or when a new 5061 * primary address is selected. 5062 * Note that an SCTP connect(2) call happens before 5063 * the SCTP protocol layer and is handled via 5064 * selinux_socket_connect(). 5065 */ 5066 err = selinux_netlbl_socket_connect_locked(sk, addr); 5067 break; 5068 } 5069 5070 if (err) 5071 return err; 5072 5073 addr_buf += len; 5074 walk_size += len; 5075 } 5076 5077 return 0; 5078 } 5079 5080 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5081 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5082 struct sock *newsk) 5083 { 5084 struct sk_security_struct *sksec = sk->sk_security; 5085 struct sk_security_struct *newsksec = newsk->sk_security; 5086 5087 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5088 * the non-sctp clone version. 5089 */ 5090 if (!selinux_policycap_extsockclass()) 5091 return selinux_sk_clone_security(sk, newsk); 5092 5093 newsksec->sid = ep->secid; 5094 newsksec->peer_sid = ep->peer_secid; 5095 newsksec->sclass = sksec->sclass; 5096 selinux_netlbl_sctp_sk_clone(sk, newsk); 5097 } 5098 5099 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5100 struct request_sock *req) 5101 { 5102 struct sk_security_struct *sksec = sk->sk_security; 5103 int err; 5104 u16 family = req->rsk_ops->family; 5105 u32 connsid; 5106 u32 peersid; 5107 5108 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5109 if (err) 5110 return err; 5111 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5112 if (err) 5113 return err; 5114 req->secid = connsid; 5115 req->peer_secid = peersid; 5116 5117 return selinux_netlbl_inet_conn_request(req, family); 5118 } 5119 5120 static void selinux_inet_csk_clone(struct sock *newsk, 5121 const struct request_sock *req) 5122 { 5123 struct sk_security_struct *newsksec = newsk->sk_security; 5124 5125 newsksec->sid = req->secid; 5126 newsksec->peer_sid = req->peer_secid; 5127 /* NOTE: Ideally, we should also get the isec->sid for the 5128 new socket in sync, but we don't have the isec available yet. 5129 So we will wait until sock_graft to do it, by which 5130 time it will have been created and available. */ 5131 5132 /* We don't need to take any sort of lock here as we are the only 5133 * thread with access to newsksec */ 5134 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5135 } 5136 5137 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5138 { 5139 u16 family = sk->sk_family; 5140 struct sk_security_struct *sksec = sk->sk_security; 5141 5142 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5143 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5144 family = PF_INET; 5145 5146 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5147 } 5148 5149 static int selinux_secmark_relabel_packet(u32 sid) 5150 { 5151 const struct task_security_struct *__tsec; 5152 u32 tsid; 5153 5154 __tsec = selinux_cred(current_cred()); 5155 tsid = __tsec->sid; 5156 5157 return avc_has_perm(&selinux_state, 5158 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5159 NULL); 5160 } 5161 5162 static void selinux_secmark_refcount_inc(void) 5163 { 5164 atomic_inc(&selinux_secmark_refcount); 5165 } 5166 5167 static void selinux_secmark_refcount_dec(void) 5168 { 5169 atomic_dec(&selinux_secmark_refcount); 5170 } 5171 5172 static void selinux_req_classify_flow(const struct request_sock *req, 5173 struct flowi *fl) 5174 { 5175 fl->flowi_secid = req->secid; 5176 } 5177 5178 static int selinux_tun_dev_alloc_security(void **security) 5179 { 5180 struct tun_security_struct *tunsec; 5181 5182 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5183 if (!tunsec) 5184 return -ENOMEM; 5185 tunsec->sid = current_sid(); 5186 5187 *security = tunsec; 5188 return 0; 5189 } 5190 5191 static void selinux_tun_dev_free_security(void *security) 5192 { 5193 kfree(security); 5194 } 5195 5196 static int selinux_tun_dev_create(void) 5197 { 5198 u32 sid = current_sid(); 5199 5200 /* we aren't taking into account the "sockcreate" SID since the socket 5201 * that is being created here is not a socket in the traditional sense, 5202 * instead it is a private sock, accessible only to the kernel, and 5203 * representing a wide range of network traffic spanning multiple 5204 * connections unlike traditional sockets - check the TUN driver to 5205 * get a better understanding of why this socket is special */ 5206 5207 return avc_has_perm(&selinux_state, 5208 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5209 NULL); 5210 } 5211 5212 static int selinux_tun_dev_attach_queue(void *security) 5213 { 5214 struct tun_security_struct *tunsec = security; 5215 5216 return avc_has_perm(&selinux_state, 5217 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5218 TUN_SOCKET__ATTACH_QUEUE, NULL); 5219 } 5220 5221 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5222 { 5223 struct tun_security_struct *tunsec = security; 5224 struct sk_security_struct *sksec = sk->sk_security; 5225 5226 /* we don't currently perform any NetLabel based labeling here and it 5227 * isn't clear that we would want to do so anyway; while we could apply 5228 * labeling without the support of the TUN user the resulting labeled 5229 * traffic from the other end of the connection would almost certainly 5230 * cause confusion to the TUN user that had no idea network labeling 5231 * protocols were being used */ 5232 5233 sksec->sid = tunsec->sid; 5234 sksec->sclass = SECCLASS_TUN_SOCKET; 5235 5236 return 0; 5237 } 5238 5239 static int selinux_tun_dev_open(void *security) 5240 { 5241 struct tun_security_struct *tunsec = security; 5242 u32 sid = current_sid(); 5243 int err; 5244 5245 err = avc_has_perm(&selinux_state, 5246 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5247 TUN_SOCKET__RELABELFROM, NULL); 5248 if (err) 5249 return err; 5250 err = avc_has_perm(&selinux_state, 5251 sid, sid, SECCLASS_TUN_SOCKET, 5252 TUN_SOCKET__RELABELTO, NULL); 5253 if (err) 5254 return err; 5255 tunsec->sid = sid; 5256 5257 return 0; 5258 } 5259 5260 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 5261 { 5262 int err = 0; 5263 u32 perm; 5264 struct nlmsghdr *nlh; 5265 struct sk_security_struct *sksec = sk->sk_security; 5266 5267 if (skb->len < NLMSG_HDRLEN) { 5268 err = -EINVAL; 5269 goto out; 5270 } 5271 nlh = nlmsg_hdr(skb); 5272 5273 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 5274 if (err) { 5275 if (err == -EINVAL) { 5276 pr_warn_ratelimited("SELinux: unrecognized netlink" 5277 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5278 " pig=%d comm=%s\n", 5279 sk->sk_protocol, nlh->nlmsg_type, 5280 secclass_map[sksec->sclass - 1].name, 5281 task_pid_nr(current), current->comm); 5282 if (!enforcing_enabled(&selinux_state) || 5283 security_get_allow_unknown(&selinux_state)) 5284 err = 0; 5285 } 5286 5287 /* Ignore */ 5288 if (err == -ENOENT) 5289 err = 0; 5290 goto out; 5291 } 5292 5293 err = sock_has_perm(sk, perm); 5294 out: 5295 return err; 5296 } 5297 5298 #ifdef CONFIG_NETFILTER 5299 5300 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5301 const struct net_device *indev, 5302 u16 family) 5303 { 5304 int err; 5305 char *addrp; 5306 u32 peer_sid; 5307 struct common_audit_data ad; 5308 struct lsm_network_audit net = {0,}; 5309 u8 secmark_active; 5310 u8 netlbl_active; 5311 u8 peerlbl_active; 5312 5313 if (!selinux_policycap_netpeer()) 5314 return NF_ACCEPT; 5315 5316 secmark_active = selinux_secmark_enabled(); 5317 netlbl_active = netlbl_enabled(); 5318 peerlbl_active = selinux_peerlbl_enabled(); 5319 if (!secmark_active && !peerlbl_active) 5320 return NF_ACCEPT; 5321 5322 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5323 return NF_DROP; 5324 5325 ad.type = LSM_AUDIT_DATA_NET; 5326 ad.u.net = &net; 5327 ad.u.net->netif = indev->ifindex; 5328 ad.u.net->family = family; 5329 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5330 return NF_DROP; 5331 5332 if (peerlbl_active) { 5333 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5334 addrp, family, peer_sid, &ad); 5335 if (err) { 5336 selinux_netlbl_err(skb, family, err, 1); 5337 return NF_DROP; 5338 } 5339 } 5340 5341 if (secmark_active) 5342 if (avc_has_perm(&selinux_state, 5343 peer_sid, skb->secmark, 5344 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5345 return NF_DROP; 5346 5347 if (netlbl_active) 5348 /* we do this in the FORWARD path and not the POST_ROUTING 5349 * path because we want to make sure we apply the necessary 5350 * labeling before IPsec is applied so we can leverage AH 5351 * protection */ 5352 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5353 return NF_DROP; 5354 5355 return NF_ACCEPT; 5356 } 5357 5358 static unsigned int selinux_ipv4_forward(void *priv, 5359 struct sk_buff *skb, 5360 const struct nf_hook_state *state) 5361 { 5362 return selinux_ip_forward(skb, state->in, PF_INET); 5363 } 5364 5365 #if IS_ENABLED(CONFIG_IPV6) 5366 static unsigned int selinux_ipv6_forward(void *priv, 5367 struct sk_buff *skb, 5368 const struct nf_hook_state *state) 5369 { 5370 return selinux_ip_forward(skb, state->in, PF_INET6); 5371 } 5372 #endif /* IPV6 */ 5373 5374 static unsigned int selinux_ip_output(struct sk_buff *skb, 5375 u16 family) 5376 { 5377 struct sock *sk; 5378 u32 sid; 5379 5380 if (!netlbl_enabled()) 5381 return NF_ACCEPT; 5382 5383 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5384 * because we want to make sure we apply the necessary labeling 5385 * before IPsec is applied so we can leverage AH protection */ 5386 sk = skb->sk; 5387 if (sk) { 5388 struct sk_security_struct *sksec; 5389 5390 if (sk_listener(sk)) 5391 /* if the socket is the listening state then this 5392 * packet is a SYN-ACK packet which means it needs to 5393 * be labeled based on the connection/request_sock and 5394 * not the parent socket. unfortunately, we can't 5395 * lookup the request_sock yet as it isn't queued on 5396 * the parent socket until after the SYN-ACK is sent. 5397 * the "solution" is to simply pass the packet as-is 5398 * as any IP option based labeling should be copied 5399 * from the initial connection request (in the IP 5400 * layer). it is far from ideal, but until we get a 5401 * security label in the packet itself this is the 5402 * best we can do. */ 5403 return NF_ACCEPT; 5404 5405 /* standard practice, label using the parent socket */ 5406 sksec = sk->sk_security; 5407 sid = sksec->sid; 5408 } else 5409 sid = SECINITSID_KERNEL; 5410 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5411 return NF_DROP; 5412 5413 return NF_ACCEPT; 5414 } 5415 5416 static unsigned int selinux_ipv4_output(void *priv, 5417 struct sk_buff *skb, 5418 const struct nf_hook_state *state) 5419 { 5420 return selinux_ip_output(skb, PF_INET); 5421 } 5422 5423 #if IS_ENABLED(CONFIG_IPV6) 5424 static unsigned int selinux_ipv6_output(void *priv, 5425 struct sk_buff *skb, 5426 const struct nf_hook_state *state) 5427 { 5428 return selinux_ip_output(skb, PF_INET6); 5429 } 5430 #endif /* IPV6 */ 5431 5432 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5433 int ifindex, 5434 u16 family) 5435 { 5436 struct sock *sk = skb_to_full_sk(skb); 5437 struct sk_security_struct *sksec; 5438 struct common_audit_data ad; 5439 struct lsm_network_audit net = {0,}; 5440 char *addrp; 5441 u8 proto; 5442 5443 if (sk == NULL) 5444 return NF_ACCEPT; 5445 sksec = sk->sk_security; 5446 5447 ad.type = LSM_AUDIT_DATA_NET; 5448 ad.u.net = &net; 5449 ad.u.net->netif = ifindex; 5450 ad.u.net->family = family; 5451 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5452 return NF_DROP; 5453 5454 if (selinux_secmark_enabled()) 5455 if (avc_has_perm(&selinux_state, 5456 sksec->sid, skb->secmark, 5457 SECCLASS_PACKET, PACKET__SEND, &ad)) 5458 return NF_DROP_ERR(-ECONNREFUSED); 5459 5460 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5461 return NF_DROP_ERR(-ECONNREFUSED); 5462 5463 return NF_ACCEPT; 5464 } 5465 5466 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5467 const struct net_device *outdev, 5468 u16 family) 5469 { 5470 u32 secmark_perm; 5471 u32 peer_sid; 5472 int ifindex = outdev->ifindex; 5473 struct sock *sk; 5474 struct common_audit_data ad; 5475 struct lsm_network_audit net = {0,}; 5476 char *addrp; 5477 u8 secmark_active; 5478 u8 peerlbl_active; 5479 5480 /* If any sort of compatibility mode is enabled then handoff processing 5481 * to the selinux_ip_postroute_compat() function to deal with the 5482 * special handling. We do this in an attempt to keep this function 5483 * as fast and as clean as possible. */ 5484 if (!selinux_policycap_netpeer()) 5485 return selinux_ip_postroute_compat(skb, ifindex, family); 5486 5487 secmark_active = selinux_secmark_enabled(); 5488 peerlbl_active = selinux_peerlbl_enabled(); 5489 if (!secmark_active && !peerlbl_active) 5490 return NF_ACCEPT; 5491 5492 sk = skb_to_full_sk(skb); 5493 5494 #ifdef CONFIG_XFRM 5495 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5496 * packet transformation so allow the packet to pass without any checks 5497 * since we'll have another chance to perform access control checks 5498 * when the packet is on it's final way out. 5499 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5500 * is NULL, in this case go ahead and apply access control. 5501 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5502 * TCP listening state we cannot wait until the XFRM processing 5503 * is done as we will miss out on the SA label if we do; 5504 * unfortunately, this means more work, but it is only once per 5505 * connection. */ 5506 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5507 !(sk && sk_listener(sk))) 5508 return NF_ACCEPT; 5509 #endif 5510 5511 if (sk == NULL) { 5512 /* Without an associated socket the packet is either coming 5513 * from the kernel or it is being forwarded; check the packet 5514 * to determine which and if the packet is being forwarded 5515 * query the packet directly to determine the security label. */ 5516 if (skb->skb_iif) { 5517 secmark_perm = PACKET__FORWARD_OUT; 5518 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5519 return NF_DROP; 5520 } else { 5521 secmark_perm = PACKET__SEND; 5522 peer_sid = SECINITSID_KERNEL; 5523 } 5524 } else if (sk_listener(sk)) { 5525 /* Locally generated packet but the associated socket is in the 5526 * listening state which means this is a SYN-ACK packet. In 5527 * this particular case the correct security label is assigned 5528 * to the connection/request_sock but unfortunately we can't 5529 * query the request_sock as it isn't queued on the parent 5530 * socket until after the SYN-ACK packet is sent; the only 5531 * viable choice is to regenerate the label like we do in 5532 * selinux_inet_conn_request(). See also selinux_ip_output() 5533 * for similar problems. */ 5534 u32 skb_sid; 5535 struct sk_security_struct *sksec; 5536 5537 sksec = sk->sk_security; 5538 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5539 return NF_DROP; 5540 /* At this point, if the returned skb peerlbl is SECSID_NULL 5541 * and the packet has been through at least one XFRM 5542 * transformation then we must be dealing with the "final" 5543 * form of labeled IPsec packet; since we've already applied 5544 * all of our access controls on this packet we can safely 5545 * pass the packet. */ 5546 if (skb_sid == SECSID_NULL) { 5547 switch (family) { 5548 case PF_INET: 5549 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5550 return NF_ACCEPT; 5551 break; 5552 case PF_INET6: 5553 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5554 return NF_ACCEPT; 5555 break; 5556 default: 5557 return NF_DROP_ERR(-ECONNREFUSED); 5558 } 5559 } 5560 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5561 return NF_DROP; 5562 secmark_perm = PACKET__SEND; 5563 } else { 5564 /* Locally generated packet, fetch the security label from the 5565 * associated socket. */ 5566 struct sk_security_struct *sksec = sk->sk_security; 5567 peer_sid = sksec->sid; 5568 secmark_perm = PACKET__SEND; 5569 } 5570 5571 ad.type = LSM_AUDIT_DATA_NET; 5572 ad.u.net = &net; 5573 ad.u.net->netif = ifindex; 5574 ad.u.net->family = family; 5575 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5576 return NF_DROP; 5577 5578 if (secmark_active) 5579 if (avc_has_perm(&selinux_state, 5580 peer_sid, skb->secmark, 5581 SECCLASS_PACKET, secmark_perm, &ad)) 5582 return NF_DROP_ERR(-ECONNREFUSED); 5583 5584 if (peerlbl_active) { 5585 u32 if_sid; 5586 u32 node_sid; 5587 5588 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5589 return NF_DROP; 5590 if (avc_has_perm(&selinux_state, 5591 peer_sid, if_sid, 5592 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5593 return NF_DROP_ERR(-ECONNREFUSED); 5594 5595 if (sel_netnode_sid(addrp, family, &node_sid)) 5596 return NF_DROP; 5597 if (avc_has_perm(&selinux_state, 5598 peer_sid, node_sid, 5599 SECCLASS_NODE, NODE__SENDTO, &ad)) 5600 return NF_DROP_ERR(-ECONNREFUSED); 5601 } 5602 5603 return NF_ACCEPT; 5604 } 5605 5606 static unsigned int selinux_ipv4_postroute(void *priv, 5607 struct sk_buff *skb, 5608 const struct nf_hook_state *state) 5609 { 5610 return selinux_ip_postroute(skb, state->out, PF_INET); 5611 } 5612 5613 #if IS_ENABLED(CONFIG_IPV6) 5614 static unsigned int selinux_ipv6_postroute(void *priv, 5615 struct sk_buff *skb, 5616 const struct nf_hook_state *state) 5617 { 5618 return selinux_ip_postroute(skb, state->out, PF_INET6); 5619 } 5620 #endif /* IPV6 */ 5621 5622 #endif /* CONFIG_NETFILTER */ 5623 5624 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5625 { 5626 return selinux_nlmsg_perm(sk, skb); 5627 } 5628 5629 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 5630 { 5631 isec->sclass = sclass; 5632 isec->sid = current_sid(); 5633 } 5634 5635 static int msg_msg_alloc_security(struct msg_msg *msg) 5636 { 5637 struct msg_security_struct *msec; 5638 5639 msec = selinux_msg_msg(msg); 5640 msec->sid = SECINITSID_UNLABELED; 5641 5642 return 0; 5643 } 5644 5645 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5646 u32 perms) 5647 { 5648 struct ipc_security_struct *isec; 5649 struct common_audit_data ad; 5650 u32 sid = current_sid(); 5651 5652 isec = selinux_ipc(ipc_perms); 5653 5654 ad.type = LSM_AUDIT_DATA_IPC; 5655 ad.u.ipc_id = ipc_perms->key; 5656 5657 return avc_has_perm(&selinux_state, 5658 sid, isec->sid, isec->sclass, perms, &ad); 5659 } 5660 5661 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5662 { 5663 return msg_msg_alloc_security(msg); 5664 } 5665 5666 /* message queue security operations */ 5667 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 5668 { 5669 struct ipc_security_struct *isec; 5670 struct common_audit_data ad; 5671 u32 sid = current_sid(); 5672 int rc; 5673 5674 isec = selinux_ipc(msq); 5675 ipc_init_security(isec, SECCLASS_MSGQ); 5676 5677 ad.type = LSM_AUDIT_DATA_IPC; 5678 ad.u.ipc_id = msq->key; 5679 5680 rc = avc_has_perm(&selinux_state, 5681 sid, isec->sid, SECCLASS_MSGQ, 5682 MSGQ__CREATE, &ad); 5683 return rc; 5684 } 5685 5686 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 5687 { 5688 struct ipc_security_struct *isec; 5689 struct common_audit_data ad; 5690 u32 sid = current_sid(); 5691 5692 isec = selinux_ipc(msq); 5693 5694 ad.type = LSM_AUDIT_DATA_IPC; 5695 ad.u.ipc_id = msq->key; 5696 5697 return avc_has_perm(&selinux_state, 5698 sid, isec->sid, SECCLASS_MSGQ, 5699 MSGQ__ASSOCIATE, &ad); 5700 } 5701 5702 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 5703 { 5704 int err; 5705 int perms; 5706 5707 switch (cmd) { 5708 case IPC_INFO: 5709 case MSG_INFO: 5710 /* No specific object, just general system-wide information. */ 5711 return avc_has_perm(&selinux_state, 5712 current_sid(), SECINITSID_KERNEL, 5713 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5714 case IPC_STAT: 5715 case MSG_STAT: 5716 case MSG_STAT_ANY: 5717 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5718 break; 5719 case IPC_SET: 5720 perms = MSGQ__SETATTR; 5721 break; 5722 case IPC_RMID: 5723 perms = MSGQ__DESTROY; 5724 break; 5725 default: 5726 return 0; 5727 } 5728 5729 err = ipc_has_perm(msq, perms); 5730 return err; 5731 } 5732 5733 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 5734 { 5735 struct ipc_security_struct *isec; 5736 struct msg_security_struct *msec; 5737 struct common_audit_data ad; 5738 u32 sid = current_sid(); 5739 int rc; 5740 5741 isec = selinux_ipc(msq); 5742 msec = selinux_msg_msg(msg); 5743 5744 /* 5745 * First time through, need to assign label to the message 5746 */ 5747 if (msec->sid == SECINITSID_UNLABELED) { 5748 /* 5749 * Compute new sid based on current process and 5750 * message queue this message will be stored in 5751 */ 5752 rc = security_transition_sid(&selinux_state, sid, isec->sid, 5753 SECCLASS_MSG, NULL, &msec->sid); 5754 if (rc) 5755 return rc; 5756 } 5757 5758 ad.type = LSM_AUDIT_DATA_IPC; 5759 ad.u.ipc_id = msq->key; 5760 5761 /* Can this process write to the queue? */ 5762 rc = avc_has_perm(&selinux_state, 5763 sid, isec->sid, SECCLASS_MSGQ, 5764 MSGQ__WRITE, &ad); 5765 if (!rc) 5766 /* Can this process send the message */ 5767 rc = avc_has_perm(&selinux_state, 5768 sid, msec->sid, SECCLASS_MSG, 5769 MSG__SEND, &ad); 5770 if (!rc) 5771 /* Can the message be put in the queue? */ 5772 rc = avc_has_perm(&selinux_state, 5773 msec->sid, isec->sid, SECCLASS_MSGQ, 5774 MSGQ__ENQUEUE, &ad); 5775 5776 return rc; 5777 } 5778 5779 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 5780 struct task_struct *target, 5781 long type, int mode) 5782 { 5783 struct ipc_security_struct *isec; 5784 struct msg_security_struct *msec; 5785 struct common_audit_data ad; 5786 u32 sid = task_sid(target); 5787 int rc; 5788 5789 isec = selinux_ipc(msq); 5790 msec = selinux_msg_msg(msg); 5791 5792 ad.type = LSM_AUDIT_DATA_IPC; 5793 ad.u.ipc_id = msq->key; 5794 5795 rc = avc_has_perm(&selinux_state, 5796 sid, isec->sid, 5797 SECCLASS_MSGQ, MSGQ__READ, &ad); 5798 if (!rc) 5799 rc = avc_has_perm(&selinux_state, 5800 sid, msec->sid, 5801 SECCLASS_MSG, MSG__RECEIVE, &ad); 5802 return rc; 5803 } 5804 5805 /* Shared Memory security operations */ 5806 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 5807 { 5808 struct ipc_security_struct *isec; 5809 struct common_audit_data ad; 5810 u32 sid = current_sid(); 5811 int rc; 5812 5813 isec = selinux_ipc(shp); 5814 ipc_init_security(isec, SECCLASS_SHM); 5815 5816 ad.type = LSM_AUDIT_DATA_IPC; 5817 ad.u.ipc_id = shp->key; 5818 5819 rc = avc_has_perm(&selinux_state, 5820 sid, isec->sid, SECCLASS_SHM, 5821 SHM__CREATE, &ad); 5822 return rc; 5823 } 5824 5825 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 5826 { 5827 struct ipc_security_struct *isec; 5828 struct common_audit_data ad; 5829 u32 sid = current_sid(); 5830 5831 isec = selinux_ipc(shp); 5832 5833 ad.type = LSM_AUDIT_DATA_IPC; 5834 ad.u.ipc_id = shp->key; 5835 5836 return avc_has_perm(&selinux_state, 5837 sid, isec->sid, SECCLASS_SHM, 5838 SHM__ASSOCIATE, &ad); 5839 } 5840 5841 /* Note, at this point, shp is locked down */ 5842 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 5843 { 5844 int perms; 5845 int err; 5846 5847 switch (cmd) { 5848 case IPC_INFO: 5849 case SHM_INFO: 5850 /* No specific object, just general system-wide information. */ 5851 return avc_has_perm(&selinux_state, 5852 current_sid(), SECINITSID_KERNEL, 5853 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5854 case IPC_STAT: 5855 case SHM_STAT: 5856 case SHM_STAT_ANY: 5857 perms = SHM__GETATTR | SHM__ASSOCIATE; 5858 break; 5859 case IPC_SET: 5860 perms = SHM__SETATTR; 5861 break; 5862 case SHM_LOCK: 5863 case SHM_UNLOCK: 5864 perms = SHM__LOCK; 5865 break; 5866 case IPC_RMID: 5867 perms = SHM__DESTROY; 5868 break; 5869 default: 5870 return 0; 5871 } 5872 5873 err = ipc_has_perm(shp, perms); 5874 return err; 5875 } 5876 5877 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 5878 char __user *shmaddr, int shmflg) 5879 { 5880 u32 perms; 5881 5882 if (shmflg & SHM_RDONLY) 5883 perms = SHM__READ; 5884 else 5885 perms = SHM__READ | SHM__WRITE; 5886 5887 return ipc_has_perm(shp, perms); 5888 } 5889 5890 /* Semaphore security operations */ 5891 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 5892 { 5893 struct ipc_security_struct *isec; 5894 struct common_audit_data ad; 5895 u32 sid = current_sid(); 5896 int rc; 5897 5898 isec = selinux_ipc(sma); 5899 ipc_init_security(isec, SECCLASS_SEM); 5900 5901 ad.type = LSM_AUDIT_DATA_IPC; 5902 ad.u.ipc_id = sma->key; 5903 5904 rc = avc_has_perm(&selinux_state, 5905 sid, isec->sid, SECCLASS_SEM, 5906 SEM__CREATE, &ad); 5907 return rc; 5908 } 5909 5910 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 5911 { 5912 struct ipc_security_struct *isec; 5913 struct common_audit_data ad; 5914 u32 sid = current_sid(); 5915 5916 isec = selinux_ipc(sma); 5917 5918 ad.type = LSM_AUDIT_DATA_IPC; 5919 ad.u.ipc_id = sma->key; 5920 5921 return avc_has_perm(&selinux_state, 5922 sid, isec->sid, SECCLASS_SEM, 5923 SEM__ASSOCIATE, &ad); 5924 } 5925 5926 /* Note, at this point, sma is locked down */ 5927 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 5928 { 5929 int err; 5930 u32 perms; 5931 5932 switch (cmd) { 5933 case IPC_INFO: 5934 case SEM_INFO: 5935 /* No specific object, just general system-wide information. */ 5936 return avc_has_perm(&selinux_state, 5937 current_sid(), SECINITSID_KERNEL, 5938 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 5939 case GETPID: 5940 case GETNCNT: 5941 case GETZCNT: 5942 perms = SEM__GETATTR; 5943 break; 5944 case GETVAL: 5945 case GETALL: 5946 perms = SEM__READ; 5947 break; 5948 case SETVAL: 5949 case SETALL: 5950 perms = SEM__WRITE; 5951 break; 5952 case IPC_RMID: 5953 perms = SEM__DESTROY; 5954 break; 5955 case IPC_SET: 5956 perms = SEM__SETATTR; 5957 break; 5958 case IPC_STAT: 5959 case SEM_STAT: 5960 case SEM_STAT_ANY: 5961 perms = SEM__GETATTR | SEM__ASSOCIATE; 5962 break; 5963 default: 5964 return 0; 5965 } 5966 5967 err = ipc_has_perm(sma, perms); 5968 return err; 5969 } 5970 5971 static int selinux_sem_semop(struct kern_ipc_perm *sma, 5972 struct sembuf *sops, unsigned nsops, int alter) 5973 { 5974 u32 perms; 5975 5976 if (alter) 5977 perms = SEM__READ | SEM__WRITE; 5978 else 5979 perms = SEM__READ; 5980 5981 return ipc_has_perm(sma, perms); 5982 } 5983 5984 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5985 { 5986 u32 av = 0; 5987 5988 av = 0; 5989 if (flag & S_IRUGO) 5990 av |= IPC__UNIX_READ; 5991 if (flag & S_IWUGO) 5992 av |= IPC__UNIX_WRITE; 5993 5994 if (av == 0) 5995 return 0; 5996 5997 return ipc_has_perm(ipcp, av); 5998 } 5999 6000 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6001 { 6002 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6003 *secid = isec->sid; 6004 } 6005 6006 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6007 { 6008 if (inode) 6009 inode_doinit_with_dentry(inode, dentry); 6010 } 6011 6012 static int selinux_getprocattr(struct task_struct *p, 6013 char *name, char **value) 6014 { 6015 const struct task_security_struct *__tsec; 6016 u32 sid; 6017 int error; 6018 unsigned len; 6019 6020 rcu_read_lock(); 6021 __tsec = selinux_cred(__task_cred(p)); 6022 6023 if (current != p) { 6024 error = avc_has_perm(&selinux_state, 6025 current_sid(), __tsec->sid, 6026 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6027 if (error) 6028 goto bad; 6029 } 6030 6031 if (!strcmp(name, "current")) 6032 sid = __tsec->sid; 6033 else if (!strcmp(name, "prev")) 6034 sid = __tsec->osid; 6035 else if (!strcmp(name, "exec")) 6036 sid = __tsec->exec_sid; 6037 else if (!strcmp(name, "fscreate")) 6038 sid = __tsec->create_sid; 6039 else if (!strcmp(name, "keycreate")) 6040 sid = __tsec->keycreate_sid; 6041 else if (!strcmp(name, "sockcreate")) 6042 sid = __tsec->sockcreate_sid; 6043 else { 6044 error = -EINVAL; 6045 goto bad; 6046 } 6047 rcu_read_unlock(); 6048 6049 if (!sid) 6050 return 0; 6051 6052 error = security_sid_to_context(&selinux_state, sid, value, &len); 6053 if (error) 6054 return error; 6055 return len; 6056 6057 bad: 6058 rcu_read_unlock(); 6059 return error; 6060 } 6061 6062 static int selinux_setprocattr(const char *name, void *value, size_t size) 6063 { 6064 struct task_security_struct *tsec; 6065 struct cred *new; 6066 u32 mysid = current_sid(), sid = 0, ptsid; 6067 int error; 6068 char *str = value; 6069 6070 /* 6071 * Basic control over ability to set these attributes at all. 6072 */ 6073 if (!strcmp(name, "exec")) 6074 error = avc_has_perm(&selinux_state, 6075 mysid, mysid, SECCLASS_PROCESS, 6076 PROCESS__SETEXEC, NULL); 6077 else if (!strcmp(name, "fscreate")) 6078 error = avc_has_perm(&selinux_state, 6079 mysid, mysid, SECCLASS_PROCESS, 6080 PROCESS__SETFSCREATE, NULL); 6081 else if (!strcmp(name, "keycreate")) 6082 error = avc_has_perm(&selinux_state, 6083 mysid, mysid, SECCLASS_PROCESS, 6084 PROCESS__SETKEYCREATE, NULL); 6085 else if (!strcmp(name, "sockcreate")) 6086 error = avc_has_perm(&selinux_state, 6087 mysid, mysid, SECCLASS_PROCESS, 6088 PROCESS__SETSOCKCREATE, NULL); 6089 else if (!strcmp(name, "current")) 6090 error = avc_has_perm(&selinux_state, 6091 mysid, mysid, SECCLASS_PROCESS, 6092 PROCESS__SETCURRENT, NULL); 6093 else 6094 error = -EINVAL; 6095 if (error) 6096 return error; 6097 6098 /* Obtain a SID for the context, if one was specified. */ 6099 if (size && str[0] && str[0] != '\n') { 6100 if (str[size-1] == '\n') { 6101 str[size-1] = 0; 6102 size--; 6103 } 6104 error = security_context_to_sid(&selinux_state, value, size, 6105 &sid, GFP_KERNEL); 6106 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6107 if (!has_cap_mac_admin(true)) { 6108 struct audit_buffer *ab; 6109 size_t audit_size; 6110 6111 /* We strip a nul only if it is at the end, otherwise the 6112 * context contains a nul and we should audit that */ 6113 if (str[size - 1] == '\0') 6114 audit_size = size - 1; 6115 else 6116 audit_size = size; 6117 ab = audit_log_start(audit_context(), 6118 GFP_ATOMIC, 6119 AUDIT_SELINUX_ERR); 6120 audit_log_format(ab, "op=fscreate invalid_context="); 6121 audit_log_n_untrustedstring(ab, value, audit_size); 6122 audit_log_end(ab); 6123 6124 return error; 6125 } 6126 error = security_context_to_sid_force( 6127 &selinux_state, 6128 value, size, &sid); 6129 } 6130 if (error) 6131 return error; 6132 } 6133 6134 new = prepare_creds(); 6135 if (!new) 6136 return -ENOMEM; 6137 6138 /* Permission checking based on the specified context is 6139 performed during the actual operation (execve, 6140 open/mkdir/...), when we know the full context of the 6141 operation. See selinux_bprm_set_creds for the execve 6142 checks and may_create for the file creation checks. The 6143 operation will then fail if the context is not permitted. */ 6144 tsec = selinux_cred(new); 6145 if (!strcmp(name, "exec")) { 6146 tsec->exec_sid = sid; 6147 } else if (!strcmp(name, "fscreate")) { 6148 tsec->create_sid = sid; 6149 } else if (!strcmp(name, "keycreate")) { 6150 error = avc_has_perm(&selinux_state, 6151 mysid, sid, SECCLASS_KEY, KEY__CREATE, 6152 NULL); 6153 if (error) 6154 goto abort_change; 6155 tsec->keycreate_sid = sid; 6156 } else if (!strcmp(name, "sockcreate")) { 6157 tsec->sockcreate_sid = sid; 6158 } else if (!strcmp(name, "current")) { 6159 error = -EINVAL; 6160 if (sid == 0) 6161 goto abort_change; 6162 6163 /* Only allow single threaded processes to change context */ 6164 error = -EPERM; 6165 if (!current_is_single_threaded()) { 6166 error = security_bounded_transition(&selinux_state, 6167 tsec->sid, sid); 6168 if (error) 6169 goto abort_change; 6170 } 6171 6172 /* Check permissions for the transition. */ 6173 error = avc_has_perm(&selinux_state, 6174 tsec->sid, sid, SECCLASS_PROCESS, 6175 PROCESS__DYNTRANSITION, NULL); 6176 if (error) 6177 goto abort_change; 6178 6179 /* Check for ptracing, and update the task SID if ok. 6180 Otherwise, leave SID unchanged and fail. */ 6181 ptsid = ptrace_parent_sid(); 6182 if (ptsid != 0) { 6183 error = avc_has_perm(&selinux_state, 6184 ptsid, sid, SECCLASS_PROCESS, 6185 PROCESS__PTRACE, NULL); 6186 if (error) 6187 goto abort_change; 6188 } 6189 6190 tsec->sid = sid; 6191 } else { 6192 error = -EINVAL; 6193 goto abort_change; 6194 } 6195 6196 commit_creds(new); 6197 return size; 6198 6199 abort_change: 6200 abort_creds(new); 6201 return error; 6202 } 6203 6204 static int selinux_ismaclabel(const char *name) 6205 { 6206 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6207 } 6208 6209 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6210 { 6211 return security_sid_to_context(&selinux_state, secid, 6212 secdata, seclen); 6213 } 6214 6215 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6216 { 6217 return security_context_to_sid(&selinux_state, secdata, seclen, 6218 secid, GFP_KERNEL); 6219 } 6220 6221 static void selinux_release_secctx(char *secdata, u32 seclen) 6222 { 6223 kfree(secdata); 6224 } 6225 6226 static void selinux_inode_invalidate_secctx(struct inode *inode) 6227 { 6228 struct inode_security_struct *isec = selinux_inode(inode); 6229 6230 spin_lock(&isec->lock); 6231 isec->initialized = LABEL_INVALID; 6232 spin_unlock(&isec->lock); 6233 } 6234 6235 /* 6236 * called with inode->i_mutex locked 6237 */ 6238 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6239 { 6240 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 6241 } 6242 6243 /* 6244 * called with inode->i_mutex locked 6245 */ 6246 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6247 { 6248 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6249 } 6250 6251 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6252 { 6253 int len = 0; 6254 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6255 ctx, true); 6256 if (len < 0) 6257 return len; 6258 *ctxlen = len; 6259 return 0; 6260 } 6261 #ifdef CONFIG_KEYS 6262 6263 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6264 unsigned long flags) 6265 { 6266 const struct task_security_struct *tsec; 6267 struct key_security_struct *ksec; 6268 6269 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6270 if (!ksec) 6271 return -ENOMEM; 6272 6273 tsec = selinux_cred(cred); 6274 if (tsec->keycreate_sid) 6275 ksec->sid = tsec->keycreate_sid; 6276 else 6277 ksec->sid = tsec->sid; 6278 6279 k->security = ksec; 6280 return 0; 6281 } 6282 6283 static void selinux_key_free(struct key *k) 6284 { 6285 struct key_security_struct *ksec = k->security; 6286 6287 k->security = NULL; 6288 kfree(ksec); 6289 } 6290 6291 static int selinux_key_permission(key_ref_t key_ref, 6292 const struct cred *cred, 6293 unsigned perm) 6294 { 6295 struct key *key; 6296 struct key_security_struct *ksec; 6297 u32 sid; 6298 6299 /* if no specific permissions are requested, we skip the 6300 permission check. No serious, additional covert channels 6301 appear to be created. */ 6302 if (perm == 0) 6303 return 0; 6304 6305 sid = cred_sid(cred); 6306 6307 key = key_ref_to_ptr(key_ref); 6308 ksec = key->security; 6309 6310 return avc_has_perm(&selinux_state, 6311 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6312 } 6313 6314 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6315 { 6316 struct key_security_struct *ksec = key->security; 6317 char *context = NULL; 6318 unsigned len; 6319 int rc; 6320 6321 rc = security_sid_to_context(&selinux_state, ksec->sid, 6322 &context, &len); 6323 if (!rc) 6324 rc = len; 6325 *_buffer = context; 6326 return rc; 6327 } 6328 #endif 6329 6330 #ifdef CONFIG_SECURITY_INFINIBAND 6331 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6332 { 6333 struct common_audit_data ad; 6334 int err; 6335 u32 sid = 0; 6336 struct ib_security_struct *sec = ib_sec; 6337 struct lsm_ibpkey_audit ibpkey; 6338 6339 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6340 if (err) 6341 return err; 6342 6343 ad.type = LSM_AUDIT_DATA_IBPKEY; 6344 ibpkey.subnet_prefix = subnet_prefix; 6345 ibpkey.pkey = pkey_val; 6346 ad.u.ibpkey = &ibpkey; 6347 return avc_has_perm(&selinux_state, 6348 sec->sid, sid, 6349 SECCLASS_INFINIBAND_PKEY, 6350 INFINIBAND_PKEY__ACCESS, &ad); 6351 } 6352 6353 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6354 u8 port_num) 6355 { 6356 struct common_audit_data ad; 6357 int err; 6358 u32 sid = 0; 6359 struct ib_security_struct *sec = ib_sec; 6360 struct lsm_ibendport_audit ibendport; 6361 6362 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6363 &sid); 6364 6365 if (err) 6366 return err; 6367 6368 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6369 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); 6370 ibendport.port = port_num; 6371 ad.u.ibendport = &ibendport; 6372 return avc_has_perm(&selinux_state, 6373 sec->sid, sid, 6374 SECCLASS_INFINIBAND_ENDPORT, 6375 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6376 } 6377 6378 static int selinux_ib_alloc_security(void **ib_sec) 6379 { 6380 struct ib_security_struct *sec; 6381 6382 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6383 if (!sec) 6384 return -ENOMEM; 6385 sec->sid = current_sid(); 6386 6387 *ib_sec = sec; 6388 return 0; 6389 } 6390 6391 static void selinux_ib_free_security(void *ib_sec) 6392 { 6393 kfree(ib_sec); 6394 } 6395 #endif 6396 6397 #ifdef CONFIG_BPF_SYSCALL 6398 static int selinux_bpf(int cmd, union bpf_attr *attr, 6399 unsigned int size) 6400 { 6401 u32 sid = current_sid(); 6402 int ret; 6403 6404 switch (cmd) { 6405 case BPF_MAP_CREATE: 6406 ret = avc_has_perm(&selinux_state, 6407 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6408 NULL); 6409 break; 6410 case BPF_PROG_LOAD: 6411 ret = avc_has_perm(&selinux_state, 6412 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6413 NULL); 6414 break; 6415 default: 6416 ret = 0; 6417 break; 6418 } 6419 6420 return ret; 6421 } 6422 6423 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6424 { 6425 u32 av = 0; 6426 6427 if (fmode & FMODE_READ) 6428 av |= BPF__MAP_READ; 6429 if (fmode & FMODE_WRITE) 6430 av |= BPF__MAP_WRITE; 6431 return av; 6432 } 6433 6434 /* This function will check the file pass through unix socket or binder to see 6435 * if it is a bpf related object. And apply correspinding checks on the bpf 6436 * object based on the type. The bpf maps and programs, not like other files and 6437 * socket, are using a shared anonymous inode inside the kernel as their inode. 6438 * So checking that inode cannot identify if the process have privilege to 6439 * access the bpf object and that's why we have to add this additional check in 6440 * selinux_file_receive and selinux_binder_transfer_files. 6441 */ 6442 static int bpf_fd_pass(struct file *file, u32 sid) 6443 { 6444 struct bpf_security_struct *bpfsec; 6445 struct bpf_prog *prog; 6446 struct bpf_map *map; 6447 int ret; 6448 6449 if (file->f_op == &bpf_map_fops) { 6450 map = file->private_data; 6451 bpfsec = map->security; 6452 ret = avc_has_perm(&selinux_state, 6453 sid, bpfsec->sid, SECCLASS_BPF, 6454 bpf_map_fmode_to_av(file->f_mode), NULL); 6455 if (ret) 6456 return ret; 6457 } else if (file->f_op == &bpf_prog_fops) { 6458 prog = file->private_data; 6459 bpfsec = prog->aux->security; 6460 ret = avc_has_perm(&selinux_state, 6461 sid, bpfsec->sid, SECCLASS_BPF, 6462 BPF__PROG_RUN, NULL); 6463 if (ret) 6464 return ret; 6465 } 6466 return 0; 6467 } 6468 6469 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6470 { 6471 u32 sid = current_sid(); 6472 struct bpf_security_struct *bpfsec; 6473 6474 bpfsec = map->security; 6475 return avc_has_perm(&selinux_state, 6476 sid, bpfsec->sid, SECCLASS_BPF, 6477 bpf_map_fmode_to_av(fmode), NULL); 6478 } 6479 6480 static int selinux_bpf_prog(struct bpf_prog *prog) 6481 { 6482 u32 sid = current_sid(); 6483 struct bpf_security_struct *bpfsec; 6484 6485 bpfsec = prog->aux->security; 6486 return avc_has_perm(&selinux_state, 6487 sid, bpfsec->sid, SECCLASS_BPF, 6488 BPF__PROG_RUN, NULL); 6489 } 6490 6491 static int selinux_bpf_map_alloc(struct bpf_map *map) 6492 { 6493 struct bpf_security_struct *bpfsec; 6494 6495 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6496 if (!bpfsec) 6497 return -ENOMEM; 6498 6499 bpfsec->sid = current_sid(); 6500 map->security = bpfsec; 6501 6502 return 0; 6503 } 6504 6505 static void selinux_bpf_map_free(struct bpf_map *map) 6506 { 6507 struct bpf_security_struct *bpfsec = map->security; 6508 6509 map->security = NULL; 6510 kfree(bpfsec); 6511 } 6512 6513 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6514 { 6515 struct bpf_security_struct *bpfsec; 6516 6517 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6518 if (!bpfsec) 6519 return -ENOMEM; 6520 6521 bpfsec->sid = current_sid(); 6522 aux->security = bpfsec; 6523 6524 return 0; 6525 } 6526 6527 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 6528 { 6529 struct bpf_security_struct *bpfsec = aux->security; 6530 6531 aux->security = NULL; 6532 kfree(bpfsec); 6533 } 6534 #endif 6535 6536 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 6537 .lbs_cred = sizeof(struct task_security_struct), 6538 .lbs_file = sizeof(struct file_security_struct), 6539 .lbs_inode = sizeof(struct inode_security_struct), 6540 .lbs_ipc = sizeof(struct ipc_security_struct), 6541 .lbs_msg_msg = sizeof(struct msg_security_struct), 6542 }; 6543 6544 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 6545 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6546 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6547 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6548 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6549 6550 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6551 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6552 LSM_HOOK_INIT(capget, selinux_capget), 6553 LSM_HOOK_INIT(capset, selinux_capset), 6554 LSM_HOOK_INIT(capable, selinux_capable), 6555 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6556 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6557 LSM_HOOK_INIT(syslog, selinux_syslog), 6558 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6559 6560 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6561 6562 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6563 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6564 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6565 6566 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6567 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6568 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 6569 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 6570 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6571 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6572 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6573 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6574 LSM_HOOK_INIT(sb_mount, selinux_mount), 6575 LSM_HOOK_INIT(sb_umount, selinux_umount), 6576 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6577 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6578 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), 6579 6580 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6581 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6582 6583 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6584 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6585 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6586 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6587 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6588 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6589 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6590 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6591 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6592 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6593 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6594 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6595 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6596 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6597 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6598 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6599 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6600 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6601 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6602 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6603 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6604 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6605 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6606 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6607 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6608 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6609 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6610 6611 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6612 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6613 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6614 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6615 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6616 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6617 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6618 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6619 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6620 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6621 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6622 6623 LSM_HOOK_INIT(file_open, selinux_file_open), 6624 6625 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 6626 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6627 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6628 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 6629 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6630 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6631 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6632 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 6633 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6634 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6635 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6636 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6637 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6638 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6639 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6640 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6641 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 6642 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6643 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6644 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6645 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6646 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6647 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6648 6649 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6650 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6651 6652 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6653 6654 LSM_HOOK_INIT(msg_queue_alloc_security, 6655 selinux_msg_queue_alloc_security), 6656 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6657 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6658 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6659 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6660 6661 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6662 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6663 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6664 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6665 6666 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6667 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6668 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6669 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6670 6671 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6672 6673 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6674 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6675 6676 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6677 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6678 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6679 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6680 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6681 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6682 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6683 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6684 6685 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6686 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6687 6688 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6689 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6690 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 6691 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6692 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6693 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6694 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6695 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6696 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6697 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6698 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6699 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6700 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6701 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6702 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6703 LSM_HOOK_INIT(socket_getpeersec_stream, 6704 selinux_socket_getpeersec_stream), 6705 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6706 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6707 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6708 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6709 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6710 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6711 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 6712 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 6713 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 6714 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6715 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6716 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6717 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6718 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6719 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6720 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6721 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6722 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6723 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6724 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6725 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6726 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6727 #ifdef CONFIG_SECURITY_INFINIBAND 6728 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 6729 LSM_HOOK_INIT(ib_endport_manage_subnet, 6730 selinux_ib_endport_manage_subnet), 6731 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 6732 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 6733 #endif 6734 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6735 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6736 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6737 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6738 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6739 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6740 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6741 selinux_xfrm_state_alloc_acquire), 6742 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6743 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6744 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6745 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6746 selinux_xfrm_state_pol_flow_match), 6747 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6748 #endif 6749 6750 #ifdef CONFIG_KEYS 6751 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6752 LSM_HOOK_INIT(key_free, selinux_key_free), 6753 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6754 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6755 #endif 6756 6757 #ifdef CONFIG_AUDIT 6758 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6759 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6760 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6761 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6762 #endif 6763 6764 #ifdef CONFIG_BPF_SYSCALL 6765 LSM_HOOK_INIT(bpf, selinux_bpf), 6766 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 6767 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 6768 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 6769 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 6770 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 6771 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 6772 #endif 6773 }; 6774 6775 static __init int selinux_init(void) 6776 { 6777 pr_info("SELinux: Initializing.\n"); 6778 6779 memset(&selinux_state, 0, sizeof(selinux_state)); 6780 enforcing_set(&selinux_state, selinux_enforcing_boot); 6781 selinux_state.checkreqprot = selinux_checkreqprot_boot; 6782 selinux_ss_init(&selinux_state.ss); 6783 selinux_avc_init(&selinux_state.avc); 6784 6785 /* Set the security state for the initial task. */ 6786 cred_init_security(); 6787 6788 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6789 6790 avc_init(); 6791 6792 avtab_cache_init(); 6793 6794 ebitmap_cache_init(); 6795 6796 hashtab_cache_init(); 6797 6798 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 6799 6800 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6801 panic("SELinux: Unable to register AVC netcache callback\n"); 6802 6803 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 6804 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 6805 6806 if (selinux_enforcing_boot) 6807 pr_debug("SELinux: Starting in enforcing mode\n"); 6808 else 6809 pr_debug("SELinux: Starting in permissive mode\n"); 6810 6811 return 0; 6812 } 6813 6814 static void delayed_superblock_init(struct super_block *sb, void *unused) 6815 { 6816 selinux_set_mnt_opts(sb, NULL, 0, NULL); 6817 } 6818 6819 void selinux_complete_init(void) 6820 { 6821 pr_debug("SELinux: Completing initialization.\n"); 6822 6823 /* Set up any superblocks initialized prior to the policy load. */ 6824 pr_debug("SELinux: Setting up existing superblocks.\n"); 6825 iterate_supers(delayed_superblock_init, NULL); 6826 } 6827 6828 /* SELinux requires early initialization in order to label 6829 all processes and objects when they are created. */ 6830 DEFINE_LSM(selinux) = { 6831 .name = "selinux", 6832 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 6833 .enabled = &selinux_enabled, 6834 .blobs = &selinux_blob_sizes, 6835 .init = selinux_init, 6836 }; 6837 6838 #if defined(CONFIG_NETFILTER) 6839 6840 static const struct nf_hook_ops selinux_nf_ops[] = { 6841 { 6842 .hook = selinux_ipv4_postroute, 6843 .pf = NFPROTO_IPV4, 6844 .hooknum = NF_INET_POST_ROUTING, 6845 .priority = NF_IP_PRI_SELINUX_LAST, 6846 }, 6847 { 6848 .hook = selinux_ipv4_forward, 6849 .pf = NFPROTO_IPV4, 6850 .hooknum = NF_INET_FORWARD, 6851 .priority = NF_IP_PRI_SELINUX_FIRST, 6852 }, 6853 { 6854 .hook = selinux_ipv4_output, 6855 .pf = NFPROTO_IPV4, 6856 .hooknum = NF_INET_LOCAL_OUT, 6857 .priority = NF_IP_PRI_SELINUX_FIRST, 6858 }, 6859 #if IS_ENABLED(CONFIG_IPV6) 6860 { 6861 .hook = selinux_ipv6_postroute, 6862 .pf = NFPROTO_IPV6, 6863 .hooknum = NF_INET_POST_ROUTING, 6864 .priority = NF_IP6_PRI_SELINUX_LAST, 6865 }, 6866 { 6867 .hook = selinux_ipv6_forward, 6868 .pf = NFPROTO_IPV6, 6869 .hooknum = NF_INET_FORWARD, 6870 .priority = NF_IP6_PRI_SELINUX_FIRST, 6871 }, 6872 { 6873 .hook = selinux_ipv6_output, 6874 .pf = NFPROTO_IPV6, 6875 .hooknum = NF_INET_LOCAL_OUT, 6876 .priority = NF_IP6_PRI_SELINUX_FIRST, 6877 }, 6878 #endif /* IPV6 */ 6879 }; 6880 6881 static int __net_init selinux_nf_register(struct net *net) 6882 { 6883 return nf_register_net_hooks(net, selinux_nf_ops, 6884 ARRAY_SIZE(selinux_nf_ops)); 6885 } 6886 6887 static void __net_exit selinux_nf_unregister(struct net *net) 6888 { 6889 nf_unregister_net_hooks(net, selinux_nf_ops, 6890 ARRAY_SIZE(selinux_nf_ops)); 6891 } 6892 6893 static struct pernet_operations selinux_net_ops = { 6894 .init = selinux_nf_register, 6895 .exit = selinux_nf_unregister, 6896 }; 6897 6898 static int __init selinux_nf_ip_init(void) 6899 { 6900 int err; 6901 6902 if (!selinux_enabled) 6903 return 0; 6904 6905 pr_debug("SELinux: Registering netfilter hooks\n"); 6906 6907 err = register_pernet_subsys(&selinux_net_ops); 6908 if (err) 6909 panic("SELinux: register_pernet_subsys: error %d\n", err); 6910 6911 return 0; 6912 } 6913 __initcall(selinux_nf_ip_init); 6914 6915 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6916 static void selinux_nf_ip_exit(void) 6917 { 6918 pr_debug("SELinux: Unregistering netfilter hooks\n"); 6919 6920 unregister_pernet_subsys(&selinux_net_ops); 6921 } 6922 #endif 6923 6924 #else /* CONFIG_NETFILTER */ 6925 6926 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6927 #define selinux_nf_ip_exit() 6928 #endif 6929 6930 #endif /* CONFIG_NETFILTER */ 6931 6932 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6933 int selinux_disable(struct selinux_state *state) 6934 { 6935 if (state->initialized) { 6936 /* Not permitted after initial policy load. */ 6937 return -EINVAL; 6938 } 6939 6940 if (state->disabled) { 6941 /* Only do this once. */ 6942 return -EINVAL; 6943 } 6944 6945 state->disabled = 1; 6946 6947 pr_info("SELinux: Disabled at runtime.\n"); 6948 6949 selinux_enabled = 0; 6950 6951 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6952 6953 /* Try to destroy the avc node cache */ 6954 avc_disable(); 6955 6956 /* Unregister netfilter hooks. */ 6957 selinux_nf_ip_exit(); 6958 6959 /* Unregister selinuxfs. */ 6960 exit_sel_fs(); 6961 6962 return 0; 6963 } 6964 #endif 6965